Networking Services and Applications

Basics of Virtual Private Network

A virtual private network (VPN) is used by remote hosts to access a private network through an encrypted tunnel through a public network.

Once a VPN connection is made, the remote host is no longer considered remote. It is actually seen by the private network as a local host. Even though the network traffic may pass through many different routers or systems, it is seen by both ends as a direct connection.

The use of VPN can help reduce networking costs for organizations and businesses. The cost reduction is partially achieved because the VPN doesn’t require the use of a dedicated leased line to create the connection.

VPN types:

1. The site-to-site VPN allows a remote site’s network to connect to the main site’s network and be seen as a local network segment.

   • VPN concentrators on both ends of a VPN will manage the connection.

2. The remote access VPN (host-to-site VPN) allows select remote users to connect to the local network.

   • A VPN concentrator on the local network will manage the connections coming from the remote users.

   • The remote system making the connection uses special software, called VPN client software, to make the connection.

3. The host-to-host VPN(SSL VPN) allows a secure connection between two systems without the use of VPN client software.

   • A VPN concentrator on the local network manages the connections.

   • The host seeking to connect uses a Web browser that supports the correct encryption technology (either SSL or TLS) to make the connection to the VPN concentrator.

Protocols used by Virtual Private Networks

• Internet Protocol Security (IPsec)

  1. Works at Layer 3 of the OSI model and above.

  2. The most common suite of protocols to secure a VPN connection.

  3. Can be used with the Authentication Header (AH) protocol

     • AH only offers authentication services. no encryption

  4. Can be used with Encapsulating Security Payload (ESP)

     • ESP both authenticates and encrypts packets (the most popular method)

  5. Both AH and ESP will operate in one of two modes

     • Can be used in transport mode between two devices (Eg. host to host VPN).

     • Can be used in tunnel mode—between two endpoints (Eg. site-to-site VPN).

  6. IPSec implements Internet Security Association and Key Management (ISAKMP) by default.

     • ISAKMP provides a method for transferring security key and authentication data between systems. outside of the security key generating process (a much more secure process).

• Generic Routing Encapsulation (GRE)

  1. GRE is a tunneling protocol that is capable of encapsulating a wide variety of network layer protocols.

  2. It is often used to create a sub-tunnel within an IPsec connection.

     • IPsec will only transmit unicast packets (one-to-one communication). In many cases, there is a need to transmit multicast (one-to-some communication) or broadcast (one-to-many communication) packets across an IPsec connection. By using GRE, this can be accomplished.

• Point-to-Point Tunneling Protocol (PPTP)

  • An older VPN technology that supports dial-up VPN connections. On its own, it lacked native security features.

    • Microsoft implementation included additional security by adding GRE.

• Transport Layer Security (TLS) Protocol

  1. TLS is a cryptographic protocol used to create a secure encrypted connection between two end devices or applications.

     • It uses asymmetrical cryptography to authenticate end points and then negotiate a symmetrical security key, which is used to encrypt the session.

  2. TLS has largely replaced the Secure Socket Layer protocol.

  3. It Works at Layer 5 and above of the OSI model.

  4. The most common use is in creating a secure encrypted Internet session (SSL VPN)

     • All modern Web browsers support TLS.

• Secure Socket Layer (SSL) Protocol

  1. SSL is an older cryptographic protocol that is very similar to TLS.

  2. The most common use is in Internet transactions.

     • All modern Web browsers support SSL.

  3. Due to issues with earlier versions of the protocol, it has largely been replaced by the TLS protocol.

     • SSL v.3.3 has been developed to address the weaknesses of the earlier versions.

Network access services

• Network interface controller (NIC)

  1. It can also be called a network interface card.

  2. The NIC is how a device connects to a network.

  3. It works at two layers of the OSI model:

     • At Layer 2 (the data link layer), it provides the functional means of network communication by determining which networking protocols will be used (e.g., Ethernet and Point-to-Point Protocol). It also provides the local network node address through its burned in physical MAC address.

     • At Layer 1 (the physical layer), it determines how the network data traffic will be converted a bit at a time into an electrical signal that can traverse the network media being used.

  4. Most modern computers come with at least one built in Ethernet NIC.

  5. Routers and other network devices may use separate modules that can be inserted into the device to provide the proper NIC for the type of media they are connecting to and the networking protocol that is being used.

• RADIUS (Remote Authentication DIal In User Service)

  1. A remote access service that is used to authenticate remote users and grant them access to authorized network resources.

  2. It is a popular AAA (Authentication, Authorization and Accounting) protocol used to help ensure that only authenticated end users are using the network resources they are authorized to use.

     • The accounting features are very robust.

  3. Only the requestor’s (the end user’s) password is encrypted.

• TACACS+ (Terminal Access Controller Access-Control System Plus)

  1. A remote access service that is used to authenticate remote devices and grant them access to authorized network resources.

  2. It is a popular AAA protocol used to help ensure that only authenticated remote network devices are using the network resources they are authorized to use.

     • The accounting features are not as robust as those of RADIUS.

  3. All transmissions between devices are encrypted.

Other Services and Applications

• RAS (Remote Access Services)

  1. Not a protocol, but a road map.

  2. A description of the combination of software and hardware required for a remote access connection. A client requests access from a RAS server, which either grants or rejects access.

• Web services

  • Creating a means of cross communication.

  • Provides the means for communication between software packages or disparate platforms. It is usually achieved by translating the communication Into an XML (Extensible Markup Language)format.

• Unified Voice services

  • Creating better voice communication systems.

  • A description of the combination of software and hardware required to integrate voice communication channels Into a network.

DHCP in the network

Static vs Dynamic IP Addressing

Most likely, a computer received its IP configuration from a DHCP (Dynamic Host Configuration Protocol) server. Not only did the server give the PC an IP address, but it also told the PC where the default gateway was – and more than likely – how to find the DNS server.

A computer will receive its IP configuration in one of two ways, statically (manually set) or dynamically(through a service like DHCP). Static address assignment works fine for a very small and stable network, but quickly becomes unwieldy and error prone as the network grows.

• Static IP addressing

  1. The administrator assigns an IP number and subnet mask to each host in the network.

     • Each network interface that is going to be available to connect to the network requires this information.

  2. The administrator assigns a default gateway location and DNS server location to each host in the network.

     • These are required if access outside the network is going to be allowed (default gateway) and human friendly naming conventions are allowed to find network resources (DNS server).

  3. Each time a change is made (Eg. a new default gateway is established) each IP configuration on each host must be updated.

• Dynamic IP addressing

  1. The administrator configures a DHCP server to handle the assignment process, which automates the process.

     • The DHCP server listens to a specific port for IP information requests.

     • Once it receives the request, the DHCP server responds with the required information.

How does DHCP work?

1. Upon boot up, a PC that is configured to request an IP configuration, sends a DHCP discovery packet.

   • The discovery packet is sent to the broadcast address: 255.255.255.255:67(UDP port 67).

2. The DHCP server receives the discovery packet and responds with an offer packet.

   • The offer packet is sent to the MAC address of the computer using UDP port 68.

3. The computer receives the offer packet from the DHCP server and returns a request packet (requesting the proper IP configuration) to the DHCP server.

4. Once the DHCP server receives the request packet, it sends back an acknowledgement packet, which contains the required IP information.

5. Upon receipt of the acknowledgement packet, the PC changes its IP configuration to reflect the information received.

Components and process of DHCP

• Ports used

  1. PC sends discovery packet to 255.255.255.255:67.

  2. DHCP sends the offer packet to the PC’s MAC address on port 68.

• Address Scope

  1. Administrator configures the IP address range with one that is available to be handed out.

• Address reservations

  1. Administrator receives specific IP addresses to be handed out to specific MAC addresses. These are used for devices that should always have the same IP address (Eg. servers and routers).

  2. Allows for these addresses to be changed from a central location instead of having to log in to each device separately.

• Leases

  1. Configuration parameters are only good for a specified amount of time.

  2. Leases are configured by the administrator.

• Options

  1. Default gateway location

  2. DNS server address (there can be more than one)

  3. Time server address

  4. Many additional options

• Preferred IP configuration

  1. A PC can have a preferred IP address.

  2. The administrator can configure the DHCP server to either honor the preference or ignore it.

Under the right circumstances, a DHCP server isn’t required to reside on the local network segment.

Broadcast transmissions cannot pass through a router. If there is not a DHCP server on the local network segment, the router can be configured to be a DHCP relay. When a DHCP relay (which can also be called an IP helper) receives a discovery packet from a node, it will forward that packet to a network segment on which the DHCP server resides.

This allows for there to be fewer configured DHCP servers in any network, reducing the amount of maintenance that an administrator needs to perform.

Introduction to DNS service

DNS servers

DNS is the process that maps human friendly names to IP addresses. Without it, we would have to memorize numerous IP addresses.

Domain Name System (DNS) is hierarchical (very structured) in nature. If the local DNS server apparatus doesn’t contain the record needed, it sends a request up the chain until a positive response is received (which gets back down to the original requestor). DNS does not require a FQDN (fully qualified domain name) in order to function.

Different Types of DNS servers

• Local DNS server

  1. The server on the local network contains the HOSTS file that maps the FQDN to IP addresses in the local subdomain.

• Top Level Domain (TLD) server

  1. The server that contains the records for a top level domain.

     • Examples include: com, org, net, edu, gov , mil and int.

     • Each of these contain all of the information for their respective domains (kind of).

     • TLD servers do delegate down the second level to ease the load; however, the TLD server is the responsible server.

• Root server

  1. The server that contains the records for the TLD servers.

Authoritative

1. An authoritative DNS server is one that responds to a request that has been specifically configured to contain the information.

2. An authoritative response comes from the DNS server that actually holds the original record.

• Non-Authoritative

  1. A non authoritative DNS server is one that responds to a request with DNS information that it received from another server.

  2. A non authoritative response is not a response from the official name server of the domain. Instead it is a second or third hand response (or even further removed).

DNS records

• A record

  1. Maps the host name to their IPv4 records.

• AAAA record

  1. Maps the host name to their IPv6 records.

• CNAME record

  1. Maps canonical (alias) names to hostnames.

• PTR record

  1. Pointer record that points to a canonical name.

• MX record

  1. Maps to the email server that is specified for a specific domain. It is the record that determines how email travels from sender to receipt.

Dynamic DNS

• Dynamic DNS (DDNS)

  1. Permits lightweight and immediate updates to a local DNS database. This is very helpful when the FQDN remains the same, but the IP address is able to change on a regular basis.

  2. It is implemented as an additional service to DNS.

• DDNS updating

  1. A method of updating traditional name servers without the intervention of an administrator (no manual editing or inputting of the configuration files is required).

     • A DDNS provider supplies software that will monitor the IP address of a referenced system. Once the IP address changes, the software sends an update to the proper DNS server.

     • DDNS is useful when access is needed to a domain whose IP address is being supplied dynamically by an Internet Service Provider (ISP).

Introduction to network address translation

Purpose

Network address translation (NAT) solves the problem of how to route non routable IP addresses.

As a partial effort to conserve the IPv4 address space, the private IPv4 addressing spaces were developed These address spaces were removed from the public IPv4 address spaces and made non-routable across public IPv4 networks.

Being non-routable prevents the private IPv4 addresses from communicating with remote public networks. NAT very simply solves this problem. A router with NAT enabled will translate a private IP address into a routable public IP address. When the response returns to the router, it passes the response back to the device that requested it.

How does NAT work?

The two categories of NAT:

• Static NAT (SNAT)

  1. Each private IP address is assigned to a specific routable public IP address. This relationship is kept and maintained by the NAT enabled router

     • When a device needs access outside of the local network, the router translates the local IP address to the assigned public IP address When the response comes back, the router will translate the public IP address back into the local one.

     • SNAT is not flexible and leads to scalability issues. An individual routable IP address must be kept for every device that requires access outside of the local network.

• Dynamic NAT (DNAT)

  1. The NAT enabled router dynamically assigns a routable IP address to devices fro a pool of available public IP addresses.

     • When a device needs access outside of the local network, the router performs the NAT function, only the public IP address comes from a reusable pool of public IP addresses.

     • As initially designed, DNAT was more flexible than SNAT, but still led to some scalability issues. As more network traffic requires access to remote networks, the pool of available public IP addresses needs to increase or outside access cannot be achieved.

• Port address translation (PAT)

  1. PAT is a type of DNAT that was developed to increase the scalability of NAT.

     • When a local network device requires access to a public network, the NAT enabled router dynamically assigns the public IP address to the device with the addition of dynamically assigning a port number to the end of the public IP address.

     • The router tracks the IP addresses and port numbers to ensure that network traffic is routed to and from the proper devices.

     • PAT still requires a pool of public IP addresses, but the pool may only contain one address or it may contain several for a large private network.

     • This is the preferred method of implementing NAT for two reasons: less public IP addresses are required and it is also easier for administrators to maintain.

• The NAT terminology

  1. Inside local address: a private IP address on the local network.

     • The private IP address assigned to a specific device.

  2. Inside global address: a public IP address referencing an inside device.

     • The public IP address assigned to the inside device by the NAT enabled router to allow access outside of the network.

  3. Outside global address: a public IP address referencing an outside device.

     • The public IP address assigned to a device outside of the local network.

  4. Outside local address: a private IP address assigned to an outside device.

     • The private IP address assigned to an outside device on the interior of the focal network.

To keep expanding your knowledge base about networking and learning with me. Don't forget to subscribe to my newsletter to receive updates about my new learning everyday. Consider following me on LinkedIn. Want to know more about me!! follow me on Instagram!!