00:00:00 - When CISCO split the CCNA program into 2 separate
00:00:04 - certifications; the CCENT and CCNA, they really freed
00:00:09 - themselves up to add a lot more information to what it would
00:00:13 - be to be a true CCNA.
00:00:16 - One of the things that they added when they did the split was
00:00:19 - VPN technology. And this is a, from their point of
00:00:24 - view, I'm sure this was a tough decision, because VPN's are
00:00:27 - one of the things that are overtaking the world. It's a technology
00:00:31 - that is just becoming more and more popular everywhere you
00:00:34 - go. However, the complexity of it is enough to fill an entire
00:00:39 - course. I could, I could talk about VPN's in all their glory
00:00:44 - from concepts through configuration and it would easily take
00:00:49 - me a series of 30 videos to make that happen. So what they've
00:00:53 - done when they decided to splice VPN's into the CCNA
00:00:57 - program is CISCO thought, how about we give just enough to be
00:01:01 - dangerous? Meaning, just enough of the technology, what it is,
00:01:06 - what it's used for, and how it works to allow you to know
00:01:10 - what's going on, know what VPN's are all about, know where you would
00:01:13 - use them, but then leave the configuration to elsewhere. Thankfully,
00:01:18 - you know what the CISCO SDM is. A graphic interface.
00:01:23 - One of the major reasons CISCO released the SDM for their routers
00:01:26 - was because of VPN connections. To set them up from the
00:01:30 - command line it is so tedious and it can be, it can take so long
00:01:34 - and have so much troubleshooting, they just said, let's just make a wizard
00:01:37 - to do it and they did. So most of the individuals that set up
00:01:41 - VPNs nowadays, on CISCO routers and PIX firewalls use
00:01:45 - graphic interfaces to do it. Even myself, I will throw myself right
00:01:50 - out there. When push comes to shove I will reach for that gui immediately
00:01:54 - because VPN's are a pain to configure. But I get too deep already.
00:01:59 - This is what we're going to talk about as we work through this video. Let's
00:02:02 - talk about what are VPN's?
00:02:06 - First and foremost for you acronym junkies, VPN stands
00:02:10 - for virtual private network. It is a network that is virtually
00:02:15 - private, not really private, and therein lies the whole concept of the VPN.
00:02:21 - Everybody has an internet connection. We have them from home, we
00:02:26 - have them at our offices, even if our office has private lines
00:02:30 - connecting them together like a private T1 line that ties
00:02:34 - your offices together, they probably have an internet connection
00:02:37 - too; so people can surf the internet from the office. You can
00:02:40 - have web servers at your office that people are accessing from
00:02:43 - the internet and all of that. So the whole concept of a VPN is
00:02:47 - since we're all connected to this big network why not use
00:02:51 - this big network a.k.a. the internet to allow all of our
00:02:55 - offices to talk together? So let's say this router
00:03:00 - over here represents an office in Arizona with a 100 users
00:03:02 - connected to a LAN. This is an office in Florida. Now, if we were
00:03:07 - to purchase a we'll say T1 line, a private leased line
00:03:12 - between those offices, we would have to go to a service provider
00:03:16 - in Arizona and that would have to be a service provider that
00:03:19 - is somehow linked to California, sorry, Florida over there and we
00:03:22 - would say okay we will, we need a private line between
00:03:25 - these offices and they would say "ooof, private line";
00:03:29 - it's going to cost you
00:03:31 - 2,000 dollars a month. 2,000 dollars in a month!
00:03:35 - you say as you throw your pen down on the table and and stare at
00:03:39 - them angrily. Yes that is, you know, a typical price of what
00:03:43 - it would cost if you're just going to get a private line between
00:03:46 - your offices. 2000 dollars.
00:03:50 - Now we have these links to the internet which are, you know,
00:03:54 - they're, they can be expensive but I would say overall they're a dime
00:03:57 - a dozen. In Arizona, you know, maybe for a 100 person office you
00:04:00 - might pay for a pretty decent internet speed, I mean a T1
00:04:04 - is about 1.544 megabits per second. And
00:04:08 - in for Arizona for we'll say a 2 to 3 megabit
00:04:13 - per second connection speed, a business class connection, you
00:04:17 - might be paying in the range of we'll say 300 to 500
00:04:21 - dollars a month. Now, that's a business class connection.
00:04:24 - I know some of you home users are like a "Hey, I can get internet at
00:04:27 - home faster than that for, you know, 60 bucks a month." That's
00:04:31 - that's a home connection. So we'll say for business class, you
00:04:34 - know, 200 to 300 dollars there or sorry, 300 to 500
00:04:37 - 300 or 500 dollars here, you not only get access
00:04:41 - to the internet, which you would need anyway, right, but, you can
00:04:45 - also create a VPN
00:04:50 - connection through the internet, a virtual private network
00:04:54 - that links the Arizona and Florida offices and not pay a penny
00:04:59 - more. That's my number 1 benefit for VPN connections
00:05:03 - is that they are cheaper,
00:05:05 - They are also widely available. They're available anywhere the
00:05:09 - internet is available. Now, I'm talking right there of one type of
00:05:12 - VPN that links offices together but there's another type where
00:05:15 - we could have our users
00:05:18 - tie in from home using a VPN connection. And they are
00:05:24 - you know, it's as if we bought a private line for that PC
00:05:28 - or that home to link into the Arizona office. It's available anywhere
00:05:32 - the internet connection is available. So even that 60
00:05:35 - dollar a month internet connection can be used to allow the
00:05:39 - users to perform anything from home that they could as if they
00:05:43 - were actually in the Arizona office. It's VPN technology that
00:05:47 - has really led to the rise of telecommuting. People that work
00:05:51 - from home full time, and do not leave their home, but their home
00:05:56 - is also their office. Leads to happier employees because, men, you get
00:06:01 - to save the drive, the gas, the sitting in the office space that you
00:06:04 - don't really want to sit in, and, you know. It saves the company money
00:06:07 - because they don't have to build a cubicle, they don't have to provide
00:06:10 - you know, more restrooms, and more break rooms and all those services
00:06:13 - they have to provide to the employees on site. So it's a win win situation for
00:06:17 - most people.
00:06:18 - Heavily encrypted and secured is the next thing. VPNs, the
00:06:23 - reason it's called virtual private network is because it's private
00:06:26 - and that privacy comes from the massive amount of encryption
00:06:30 - and security that's thrown on there. Therein is the benefit of
00:06:34 - VPN is it's very very difficult to break into that. It's you
00:06:37 - know, I won't say anything's impossible but it is virtually
00:06:42 - impossible to break into a VPN connection
00:06:46 - from the internet. But there in that 3rd bullet point is its
00:06:50 - weaknesses as well. In that because it is so heavily secured
00:06:55 - and encrypted it takes a lot more overhead on the routers
00:07:01 - than just connecting on a private line. On a private line you
00:07:03 - don't have to encrypt anything you can just let them talk as
00:07:07 - if they were directly connected because it's private. But on
00:07:10 - the internet there's a lot of overhead, a lot of slowdown in
00:07:12 - processor utilization has to take place there.
00:07:15 - Last but not least, the big benefit is many to many connections. For
00:07:19 - instance, if I was in Arizona and Florida, to get a private
00:07:22 - line, it's 2000 bucks a month, we'll say, that the price can
00:07:26 - vary, but you can only connect from Arizona to Florida. If Florida
00:07:31 - wanted to connect over here to California I would have to buy
00:07:34 - another private line. You know either Arizona would have
00:07:37 - to link to California or Florida would have to link California.
00:07:40 - And that's another 2000 bucks a month because, that's
00:07:43 - another private line. With VPN's all you do is buy an internet
00:07:47 - connection in each location and that allows anybody to connect to
00:07:52 - anybody. Many to many connections. Remote users can then
00:07:56 - get into the California office. The site to site users, the Arizona
00:08:00 - to California they can all connect. So VPN is truly an any
00:08:05 - to any connectivity.
00:08:07 - VPN connections come in 2 major styles: site to site or
00:08:12 - what you see here as L to L, land to land. Or remote access.
00:08:17 - Now, this picture right here is a site to site VPN connection. This router
00:08:21 - represents some office that is connected to the internet through
00:08:26 - some, some kind of connection. Now you could have inside of that office
00:08:29 - any number of users, hundreds or even thousands of users.
00:08:33 - And whenever they access an IP address that is over at this
00:08:36 - site with however many users inside of it the router recognizes
00:08:40 - that needs to go across the VPN.
00:08:42 - So it will come in, clear text, you know, unprotected, unencrypted,
00:08:47 - as soon as realizes it's going across the VPN it will
00:08:50 - encrypt it and send it through the internet which is a public
00:08:54 - network. It's very unsecure anybody can get that data but
00:08:58 - it's still heavily encrypted that nobody can get to it. It
00:09:01 - reaches the other end which un-encrypts the data and then sends
00:09:04 - it over here to the clients.
00:09:06 - That is the site to site VPN and that is a direct replacement
00:09:10 - for a private line. Something you're paying a lot of monthly
00:09:15 - charges for.
00:09:16 - If the site to site or land to land VPN links are offices,
00:09:21 - remote access VPNs link our homes or our laptops depending
00:09:26 - on where we are in the world. A remote access client is usually
00:09:29 - not always, but usually installed on a PC. You'll for instance
00:09:34 - go to the CISCO website and download the CISCO VPN client.
00:09:38 - Or Microsoft has a VPN client built in. You'll type all the
00:09:43 - information into that VPN client that's needed to authenticate
00:09:47 - or work for the central site. It's user name and password
00:09:51 - or there's many different ways that they can have this.
00:09:55 - Some companies I don't know if you've seen these, have
00:09:59 - token cards, which means they, somebody to get on the VPN pulls
00:10:03 - a token out of their wallets, it it looks like a credit card but it
00:10:06 - has a little electronic screen. They push a button on there
00:10:09 - and it generates a password that will let them connect to the
00:10:11 - VPN for exactly one minute. If they don't type that password in
00:10:15 - in one minute they have to hit the button again to get a new
00:10:17 - password because it's always changing
00:10:20 - based on time. That's pretty secure. So people don't actually
00:10:24 - have a password. They have a token card that generates a password
00:10:27 - for them for that time. They even have bio metric methods nowadays;
00:10:32 - where people will have to, I don't know if you've seen them, I've seen them
00:10:36 - I want one, they're awesome. I don't know why I want one, but they're awesome. They are laptops
00:10:39 - that have thumb print scanners on them. To where to get on
00:10:43 - the VPN you actually have to stick your thumb on the laptop.
00:10:47 - It scans to make sure that you are who you say you are. And
00:10:50 - I mean, I'm thinking, I don't know, you've see Mission Impossible where they're
00:10:54 - lopping people's thumbs off and using them on the doors. And it's
00:10:57 - coming. I'm telling you. They have retina scanners where they'll scan
00:11:00 - your eyeball and
00:11:02 - weird and creepy stuff. So whatever method they have you'll
00:11:06 - authenticate, it goes across the internet to the router and
00:11:10 - that allows that PC to become one with the LAN. It's virtually
00:11:15 - as if that PC was connected to that network for however long
00:11:19 - their connected to the VPN. As soon as they sever that they're now off
00:11:22 - on the internet again. Everything that they send is encrypted
00:11:26 - over the VPN.
00:11:28 - Now I would say the most advancement has been taking place
00:11:32 - in the remote access VPN arena in recent years. Site
00:11:36 - to site VPNs, they work, they're standard, they've been around for
00:11:39 - a long time. Remote access has really been evolving.
00:11:43 - Before recently, we would always have to you know purchase or buy that
00:11:47 - CISCO VPN client and install it on here. Nowadays they
00:11:51 - are setting up people's homes with little routers that make
00:11:55 - the VPN for you. So, you don't actually have to install anything
00:11:58 - on the laptop. You have this little router at home that will almost
00:12:02 - create a site to site style of VPN from your home to the
00:12:06 - corporate office. And that allows any device in your home to
00:12:10 - access the VPN for a time, or however long that's connected.
00:12:14 - The reason that's pretty cool is because now people can connect
00:12:17 - telephones, voice over IP phones, to the network in their
00:12:22 - home and they could actually have their work extension, we'll
00:12:25 - say extension 1003 sitting in their office that
00:12:28 - goes through the VPN and it's like having a telephone at the work
00:12:32 - site. But, it's at their home. People are dialing 1003
00:12:36 - and going over VPN and making somebody's home phone ring
00:12:39 - and they never know that because it's through the VPN. It's
00:12:43 - invisible. They also have a new technology in the remote access
00:12:47 - arena that is being called two names, either an SSL
00:12:51 - VPN
00:12:54 - or a Web VPN. These are two names for the same saying.
00:12:58 - Installing the clients on the PC is painful. Meaning, you as
00:13:04 - an administrator have to go to that person's laptop, get them
00:13:07 - set up, get them with the token card if you're using that. Or retina
00:13:11 - scanner, you know, whatever you're using. Get them all tweaked out and
00:13:14 - then they'll be able to go and authenticate. It's fine when you've got
00:13:17 - one, two, five users, you know, kind of thing, but when you've got
00:13:22 - fifty or sixty users that need to access the VPN that's
00:13:27 - a lot of time. So what SSL and Web VPNs do is they'll
00:13:31 - allow this router to generate a web page. Somebody will
00:13:38 - open their PC and it connects to the router and it will display
00:13:42 - this web page, and it will say, you know, type in your username and password.
00:13:46 - It'll have a field on there, or your token code for the minutes that
00:13:49 - it's valid. You type it in there and what will happen is the
00:13:53 - router will install a mini. It's like a mini-me version
00:13:57 - of the VPN clients on your laptop for as long as you are connected
00:14:02 - to that VPN and that will establish a VPN connection
00:14:05 - without ever having to install a client on the laptop or the
00:14:09 - PC. It's pretty awesome. And as soon as you close that page, VPN
00:14:13 - closes down and everything's eliminated. It actually tunnels all
00:14:18 - that information through that web page. So we will call that SSL
00:14:22 - tunneling. But that's where remote access connections are evolving to.
00:14:28 - That's the logical connections of how VPNs work. Now
00:14:32 - let's get a little bit technical and into the protocols that
00:14:36 - give them the power to do what they do.
00:14:39 - Just about everything that deals with VPN technology is
00:14:43 - worked all around this protocol known as IPSEC. IPSEC is
00:14:48 - the protocol that makes VPNs possible. It is the security
00:14:50 - protocol that does all the heavy encryption and so on. Now
00:14:54 - IPSEC works with TCP/IP, we know what TCP/IP is.
00:14:59 - It's the protocol of communication that lets you talk over
00:15:02 - the network. You've got things like TCP and UDP. IPSEC is
00:15:06 - just another one of those protocols. It actually works at
00:15:09 - the transport layer, like TCP and UDP you have a choice.
00:15:13 - Your computer or your VPN can also choose to use IPSEC when
00:15:17 - communicating over TCP/IP network. And IPSEC is not just
00:15:22 - one protocol. Just like when you say TCP/IP, there's many
00:15:26 - protocols that make that work like UDP and ARP and all
00:15:30 - these different protocols. IPSEC is the same way. Inside
00:15:33 - of it, it has all these different, what I call, chunks, the
00:15:37 - chunks that build the IPSEC. IPSEC is built of three
00:15:41 - major, or sorry, four major categories of protocols. The first,
00:15:46 - well I'll take them on of order; is an encryption protocol.
00:15:50 - You get to choose one of those, and you can see the three in the list,
00:15:54 - encryption protocols to secure your data.
00:15:58 - And that is a list from strongest to weakest. The, or I'm sorry, it's from
00:16:02 - weakest to strongest. This is the weakest, DES, one of the first
00:16:06 - encryption protocols to come out. Triple DES is essentially triple
00:16:10 - the strength of DES and AES is the new U.S. Government standard
00:16:13 - that is the most powerful encryption that we have currently
00:16:18 - and that excludes, you know, all of the under the
00:16:22 - cover men in black style encryption that, you know, nobody really
00:16:26 - knows about or is proprietary and things like that. The
00:16:31 - benefit, I guess, is the weaker your encryption the less processing
00:16:36 - it takes and the overall faster connection you have. The stronger
00:16:41 - your encryption the more secure you are, the less chance you
00:16:44 - have of somebody breaking your VPN and getting into your organization
00:16:48 - but the more overhead you have and the longer it takes to do
00:16:51 - that encryption.
00:16:53 - So as an administrator when you set up your VPN you get
00:16:56 - to choose what kind of encryption to use.
00:16:59 - Authentication is the second piece.
00:17:02 - Authentication does a lot of things but primarily is focused
00:17:06 - around making sure data does not change from one end to the
00:17:10 - other. For example, if you have a client that is connected
00:17:15 - to a VPN. Here's our internet and is connected to a router
00:17:20 - that connects to the corporate network and there's a server.
00:17:22 - When somebody is trying to hack your network they may not
00:17:26 - understand all those packets that are going across because
00:17:29 - they're all encrypted. So they can't really see what they are
00:17:32 - but what they could do, let's say we've got a intruder here,
00:17:35 - remember the internet's a public network so anybody can get
00:17:38 - on. We have this intruder who may not understand what you're sending
00:17:43 - by what they can do is spoof packets. Meaning, send fake
00:17:48 - packets that look like you that kind of pretend to be you, but aren't
00:17:52 - really you. This is known as a man in the middle, a MIM, a
00:17:58 - man in the middle attack where he's in the middle of the conversation
00:18:01 - kind of taking packets, and pretending to be you and trying to decrypt
00:18:06 - the packets as it goes. You know, trying to break into that connection and
00:18:09 - what authentication does is prevent those kind of attacks. So
00:18:13 - authentication makes sure that the stuff that is being sent
00:18:17 - is from the original person sending it. And it detects if somebody
00:18:21 - changes your packets, like as it's going across maybe he grabs your packet
00:18:25 - and sends his own in place of it to try and, you know, pretend
00:18:29 - to be you and inject some stuff into the network that doesn't belong there.
00:18:34 - Well that's what authentication stops.
00:18:37 - Now, protection, I'll talk about that one third; the third chunk is what
00:18:41 - allows you to do all of this over a public network. Here's a thought you
00:18:48 - may not have thought through yet.
00:18:51 - If this guy is encrypting then he has to have an encryption
00:18:56 - key, right?
00:18:58 - I'll draw it like this. An encryption formula that allows him to scramble
00:19:02 - the data before he sends it. Now
00:19:06 - in order for this to work, this guy over here has to have the
00:19:11 - same encryption key. Meaning, he has to be able to unencrypt
00:19:15 - what you're sending him in order for it to be of any use at
00:19:18 - all. So when that PC connects to the VPN, somehow it
00:19:24 - has to get the encryption key it's going to use over to the
00:19:27 - router. Or vice versa the router would have to send the encryption
00:19:30 - key that it's going to use to the PC.
00:19:33 - Therein lies the problem. How do you send an encryption
00:19:37 - key over the internet
00:19:41 - to this person so that they can have it without this, this, you
00:19:45 - know, XX guy over here, the man in the middle, grabbing that key;
00:19:48 - because the internet's a public place. You can grab just about
00:19:51 - anything you want off of it. Without this guy grabbing
00:19:54 - that key and then having the encryption and decryption formula
00:19:58 - and breaking into the VPN that way. Well, that's what protection
00:20:02 - is all about. Diffy Hellman is what that DH stands for a
00:20:06 - to talk about the specifics of how this is possible next.
00:20:11 - The fourth chunk of IPSEC is, I guess, what you could
00:20:16 - call the engine.
00:20:18 - The idea behind IPSEC is they never wanted it to become out-dated.
00:20:23 - Meaning, new stuff comes out all the time. New encryption formulas
00:20:28 - are released, I mean, DH, or sorry, DES you see it right
00:20:32 - there under the encryption. When this originally came out
00:20:35 - it was back in probably the late seventies early eighties that
00:20:39 - was, that was like, oh, you are not breaking this. This is unbreakable.
00:20:43 - Nobody can mess with this and it's, this is the encryption
00:20:47 - formula that will end encryption formulas. We thought that was that
00:20:51 - was it. And then
00:20:53 - a twelve year old girl in Sweden, I'm not making this up, broke
00:20:59 - that encryption formula. A twelve year old girl figured out
00:21:03 - how to break the encryption formula that DES uses in a day; I
00:21:08 - think it was like within twenty four hours or less using her formula
00:21:11 - you could break in and pretty much tear that thing to shreds. Twelve
00:21:15 - year old girl.
00:21:17 - Unbelievable. She's now dead. The government got her.
00:21:20 - No, I don't know what happened to her. She's probably working for
00:21:22 - the CIA somewhere. But that's the idea, you know, encryption
00:21:26 - formulas change, you know, AES just came out, it's fairly new, and everybody's saying;
00:21:29 - oh, that thing's so powerful. But, you know, give it twenty years
00:21:33 - well ten years at the rate things are going and then it'll be, you know,
00:21:37 - people will be like, oh, yeah some two year old in Massachusetts totally
00:21:41 - tore that thing apart. It's always going to change, is my point. So what
00:21:44 - this negotiation protocol is there to do is be kind of a
00:21:51 - changer I guess. That's a horrible way to describe it, but it's essentially
00:21:57 - a piece of IPSEC that lets everything in IPSEC
00:22:02 - be changeable.
00:22:04 - Think about it this way. If IPSEC were a car this would be
00:22:08 - the engine of it. And you can actually change out the whole
00:22:12 - engine of IPSEC. If you had a four cylinder you could
00:22:15 - go on and swap it and put in an eight cylinder. That's what this a AH, ESP
00:22:20 - and ESP plus AH is. AH was the original engine that came out
00:22:24 - with IPSEC. The problem is that AH or it's known as the authentication
00:22:29 - header, couldn't do encryption. That was back when IPSEC was
00:22:32 - just in its infancy. And so they came out with the
00:22:36 - ESP, think of that like the v6 engine for the IPDEC protocol.
00:22:40 - And that allowed it to do encryption and authentication and the protection,
00:22:44 - the chunks that you see on there. ESP plus AH came out
00:22:47 - which allows you to double up on things. That's like the v8
00:22:50 - engine. The, it's more powerful but sucks more gas you know, it's
00:22:53 - kind of a resource consuming chunk. And they can come
00:22:58 - out with new engines, you know, someday down the road they'll come out
00:23:01 - with jay five nine or something as a new engine of IPSEC
00:23:04 - that adds even more protection. That's the goal, is they don't
00:23:07 - want it to change. When you, when you think about TCP/IP,
00:23:11 - we currently use version four, but the problem is, is they're
00:23:15 - having to replace it. TCP/IP version four reached its max.
00:23:19 - Ir got maxed out, if you will, the IP addresses ran out. So TCP/IP
00:23:24 - version six is coming to replace it. They never wanted
00:23:27 - to have to do that with IPSEC.
00:23:31 - Alright, the last piece of VPN technology that we'll talk about
00:23:34 - here, is how does it all work? I mean, how is it possible to get
00:23:38 - true security over a public network when you have to send those
00:23:42 - encryption keys to each other,
00:23:45 - where anybody could grab them? Well here's the idea. The way VPN's work
00:23:49 - is through a combination of security keys.
00:23:54 - First and foremost I need to identify a big difference in
00:23:58 - technology. There are really two types of encryption and decryption.
00:24:02 - First I'll talk about symmetric.
00:24:06 - Symmetric encryption is encryption that uses the same key
00:24:12 - to encrypt and decrypt. Meaning, if you've got that key, this
00:24:16 - is known as a shared secret key you can, you can, take data you
00:24:20 - know, say somebody over here sends some data into the router
00:24:23 - you can take that and encrypt it and then when it gets over here
00:24:26 - to the internet and is received at the other side they can
00:24:30 - use the same exact key that you used to decrypt it.
00:24:34 - The benefit of symmetric encryption is it's really fast and
00:24:39 - it's really easy on your processor. When we talked about DES and
00:24:43 - triple DES three DES excuse me, and AES
00:24:48 - those are all forms of symmetric encryption. Meaning, they
00:24:51 - use the same key to encrypt and decrypt. Now that's great and
00:24:55 - it's it's very fast but the problem is when one of these routers
00:24:59 - is going to generate that key every single time somebody
00:25:03 - connects to the VPN and it has to send it over the internet to
00:25:06 - the other side so they've got that key to do the encryption
00:25:08 - and decryption. That's the problem I described before. So how
00:25:13 - do you do that without somebody grabbing that key in the middle and
00:25:16 - then, you know, using that to tear apart all your VPN and
00:25:19 - they can decrypt anything that you send. That's where Diffy
00:25:23 - Hellman came in. Diffy Hellman is actually the name of two
00:25:27 - guys that created a system for doing this. Diffy and Hellman actually
00:25:33 - worked together and here's the idea. Diffy Hellman security uses
00:25:37 - something known as asymmetric
00:25:43 - encryption. What that means is you have a two key system.
00:25:49 - A public and private. The public key, anything that it encrypts
00:25:54 - can be decrypted with the private key.
00:25:58 - And anything the private key encrypts can be decrypted
00:26:01 - with the public key. They can do both but they're complete
00:26:04 - opposites of each other. Now they're called public and
00:26:09 - private key for a reason.
00:26:12 - When somebody connects to the VPN, let's say this is a site to site;
00:26:17 - I'll put S to S. Site to site VPN between these two routers. When somebody
00:26:22 - brings up that VPN connection, the first thing that happens
00:26:26 - is the router that receives the connection sends a key. Let's
00:26:31 - say that the right router connected to the left router.
00:26:34 - The left router will send the right router its Diffy Hellman
00:26:40 - public key. Check out
00:26:41 - that animation, pretty sophisticated. So now this right router
00:26:45 - has an encryption formula. Anything encrypted with this public
00:26:50 - key can only be decrypted with the private key. Now there's
00:26:54 - the secret. That private key is kept hidden behind this router,
00:26:58 - or in that router. It will never be given out to anybody that's
00:27:02 - why they call it a private key. So the router on the right generates
00:27:06 - that shared secret key
00:27:10 - and encrypts it with this public key. Encrypted.
00:27:15 - So it sends this encrypted version of the shared secret key
00:27:19 - tracking across the internet here over here and that is completely
00:27:23 - scrambled and the only thing that can decrypt that is the
00:27:27 - private key.
00:27:29 - Likewise if we were to connect the other way, you know,
00:27:32 - the right router
00:27:36 - would send its public key over here and then its private key
00:27:39 - would be used to decrypt anything that the left router encrypted.
00:27:43 - But we're only using one set for now, so let me move these out of here
00:27:46 - so we're not confusing. Once this router on the left hand side
00:27:51 - has the shared secret key
00:27:54 - right here, it's able to decrypt it with private and then they
00:27:57 - now have, they both have the same symmetric
00:28:01 - encryption and decryption key that they can use for that session.
00:28:04 - Now once that VPN connection is done and over
00:28:08 - with. Meaning, okay we're ready to tear it down, that shared secret
00:28:11 - is thrown away. Off it goes. And the next time the connection
00:28:16 - happens a new shared secret key is going to be generated. So
00:28:20 - the point is, is that the encryption keys that are being used
00:28:23 - to encrypt all the data over the VPN are constantly changing.
00:28:27 - They're always being regenerated and renewed. Even if this is
00:28:31 - a site to site VPN connection that's always connected, it's always
00:28:34 - up always-on, after a certain amount of time it will say okay
00:28:38 - we've used these keys long enough let's scrap them and regenerate them again and
00:28:42 - then use these Diffy Hellman keys to secure the exchange
00:28:46 - of that shared secret.
00:28:48 - Now, you might be thinking. Couple, couple of thoughts I had when
00:28:52 - I first got into cryptography
00:28:54 - and how all this works. Maybe you're thinking, well first off if you've
00:28:58 - got this encryption formula right here, Diffy Hellman public and you're
00:29:03 - sending that all over the place, meaning, that's being sent in
00:29:05 - clear text across the internet, can't somebody get that key and
00:29:11 - you know, kind of reverse the formula to figure out the private. I mean,
00:29:16 - the way, the way I was thinking about it, I thought, you know, why
00:29:19 - took algebra, I even took calculus, you know, if the Diffy Hellman
00:29:24 - public key is X plus one equals, you know, two; I can do
00:29:29 - the math subtract it out and be like, oh well then X really equals
00:29:32 - one, now I've got the secret. Well the, this, you can tell
00:29:38 - the brilliance of my mathematics. I'm like, that's difficult right there.
00:29:41 - But the
00:29:43 - public keys and the formulas that they use in those
00:29:47 - Diffy Hellman public keys are so sophisticated and so advanced it
00:29:52 - is theoretically impossible to figure out what the reverse
00:29:57 - encryption of that is or what the reverse of it is. If you just
00:30:01 - have one side of the key. Meaning, inside of there they use logarithmic
00:30:05 - functions and things they just cannot be reversed. There's, there's
00:30:09 - a billion possible answers to what the reverse of
00:30:13 - that could be so, you know, you'll just have to trust me; that
00:30:16 - doesn't all make sense. It is impossible to create or reverse
00:30:22 - engineer a private key if you just have the public key.
00:30:26 - Second thought I had when I first was learning about this. If
00:30:29 - the public key and private key system is so super-duper
00:30:34 - secure, why do you even need this shared secret thing? I mean,
00:30:39 - why can't you just, you know, get
00:30:43 - the shared secrets out of here and, you know, reduce some of the complexity
00:30:46 - right? And just, just say okay we'll just use the public and I'll
00:30:50 - send you my public and you'll send me your your public and
00:30:54 - then I'll use this to encrypt everything and you can decrypt it
00:30:57 - with your private. And you can, you know, you can use; let
00:31:01 - me put these keys in the right place. You can encrypt anything you
00:31:04 - need to send me with your public and I'll decrypt it with my private,
00:31:07 - you know, then kind of swap it that way. Well honestly that would work
00:31:10 - in that it would, it would secure but these formulas; it kind of
00:31:16 - goes along with the last answer I gave you. These formulas
00:31:19 - are so massive and so super complex that they cause a ton
00:31:24 - of overhead. Asymmetric is like a hundred times more processing
00:31:29 - than what a symmetric key would be. It really burdens down your
00:31:33 - router and that's why the routers only use them for an instant.
00:31:37 - They just use that encryption formula and that system to get
00:31:40 - the symmetric key across and then it says okay I'm done with
00:31:43 - you because you, max out my processor. Otherwise that would be
00:31:47 - the perfect encryption solution.
00:31:50 - That's the idea behind VPN connections. At least at the
00:31:54 - CCNA level. I encourage you, if you want to know more about
00:31:58 - VPNs, CISCO has now added it to the CCNP track. It's actually
00:32:03 - in the CCNP now under the ISCW exam. So if you want
00:32:09 - to check out CBTNuggets, they offer that video. And also if you
00:32:12 - want the full scoop, the ICW gives you a much more than what
00:32:16 - I just gave you, it's about eight videos on it. But if you want the
00:32:19 - full scoop on what VPNs are, how to set them up, how to work with
00:32:22 - them, all that, that's what the CCSP track is all about.
00:32:26 - The security track for, did I say CCSP? I think I did. CCSP. The security
00:32:32 - track for CISCO that's where they talk fully about them. In
00:32:35 - here we talk about why use VPN connections. And to review,
00:32:39 - we use VPN connections because they're cheaper. They allow
00:32:43 - more flexibility, you can connect to more places and you can
00:32:46 - just use your existing internet connection to make that happen.
00:32:48 - They're very flexible. We looked at the different styles of VPN connections,
00:32:53 - which was really divided into site to site and remote access
00:32:56 - VPNs. Where remote access is seeing the most evolution right
00:32:59 - now as we move in to technologies like web VPNs. Finally
00:33:03 - we looked at a high level overview of VPN connectivity. Talked
00:33:07 - about the IPSEC protocol suite that allows VPNs to
00:33:10 - happen. And how IPSEC and how VPNs can securely communicate
00:33:15 - over a public network. I hope this has been informative for you and I'd like
00:33:19 - to thank you for viewing.