VPN

VPN tunnels are used to establish a secure connection to a remote network over a public network. For example, VPN tunnels can be used across the internet by an individual to connect to a secure corporate network while traveling, or by two office networks to function as one network. The two networks set up a secure connection to the (normally) unsecured internet by assigning VPN encryption protocols.

For IoT deployment, a VPN is necessary to move data from remote sensors and edge devices into a corporate or private LAN. Typically, a corporation will be behind a firewall and a VPN is the only means to move data directly into a private on-premises server. In these cases, a VPN may be a necessary component of the router to bridge the networks. Later in this chapter, a discussion of software-defined networks will present an alternative method to securing networks.

Several VPNs exist:

Internet Protocol Security (IPSec) VPN: The traditional form of VPN technology that resides on the network layer of the OSI stack and secures data through a tunnel between two endpoints.
OpenVPN: This is an open source VPN for secure point-to-point and site-to-site connections in routed or bridged configurations. It incorporates a custom security protocol utilizing SSL/TLS (OpenSSL) for key exchanging and encrypting control and data planes. It can run over UDP and TCP transports. SSL is common in most browser applications, therefore, SSL VPN systems can provide secure tunnels on an application basis rather than an entire network.
Generic Routing Encapsulation (GRE): Creates point-to-point connections between endpoints through a tunnel similar to a VPN tunnel but encapsulates its payload. It wraps this inner packet within an outer packet. This allows the data payload to pass across other IP routers and tunnels unperturbed. Additionally, GRE tunnels can transport IPV6 and multicast transmissions.
Layer 2 Tunneling Protocol (L2TP): Creates a connection between two private networks via UDP datagrams typically used for VPNs or as part of the delivery services by ISPs. There is no security or encryption built into the protocol and it often relies on IPsec for that ability.

A VPN must either trust the underlying network protocols or provide for its own security. VPN tunnels typically use IPsec to authenticate and encrypt packets exchanged across the tunnels. To set up a VPN tunnel router on one end, there must be another device (usually a router) that also supports IPsec on the other end. Internet Key Exchange (IKE) is the security protocol in IPsec. IKE has two phases. The first phase is responsible for establishing a secure communication channel, and in the second phase, the established channel is used by IKE peers. The router has several different security protocol options for each phase, but the default selections will be sufficient for most users. Each IKE exchange uses one encryption algorithm, one hash function, and one DH group to make a secure exchange:

Encryption: Used to encrypt messages sent and received by IPsec. Typical encryption standards and algorithms include AES 128, AES 256, DES, and 3DES.
Hash: Used to compare, authenticate, and validate data across the VPN, ensuring it arrives in its intended form, and to derive keys used by IPSec. Typical hash functions one should expect in an enterprise-grade router include MD5, SHA1, SHA2 256, SHA2 384, and SHA2 512. Note that some encryption/hash combinations (such as 3DES with SHA2 384/512) are computationally expensive, impacting WAN performance. AES provides good encryption and performs much better than 3DES.
DH groups: The DH (Diffie-Hellman) group is a property of IKE and is used to determine the length of prime numbers associated with key generation. The strength of the key generated is partially determined by the strength of the DH group. Group 5, for instance, has greater strength than group 2:
- Group 1: 768-bit key
- Group 2: 1024-bit key
- Group 5: 1536-bit key

In IKE phase one, you can only select one DH group if you are using an aggressive exchange mode.

The algorithms are listed in order of priority. You can reorder this priority list by clicking and dragging algorithms up or down. Any selected algorithm may be used for IKE, but the algorithms at the top of the list are more likely to be used more often.

A word of caution on mobile and power-constrained IoT deployments. A traditional VPN cannot withstand moving in and out of a persistent network connection (such as cellular roaming, carrier switching, or occasionally-powered devices). If the network tunnel is disrupted, it causes timeouts, disconnects, and failures. Some mobile VPN software, such as Host Identity Protocol (HIP) from the IETF, attempts to resolve the problem by disassociating different IP addresses used when roaming to the VPN logical connection. Another alternative is Software-Defined Networking (SDN), which will be covered later in this book.

Table of Contents for VPN

Create new playlist

Sign In

Sign Up

Table of Contents for
VPN