WEBVTT

1
00:00:00.000 --> 00:00:01.410
In this lesson,

2
00:00:01.410 --> 00:00:04.350
we will learn about Virtual Private Network,

3
00:00:04.350 --> 00:00:06.420
or VPN architecture.

4
00:00:06.420 --> 00:00:10.140
VPN architecture extends access controls

5
00:00:10.140 --> 00:00:12.960
beyond traditional network boundaries.

6
00:00:12.960 --> 00:00:17.850
There are a variety of VPN models such as a client-server,

7
00:00:17.850 --> 00:00:21.000
site-to-site, and always-on VPN.

8
00:00:21.000 --> 00:00:25.020
A client-server VPN establishes a secure tunnel

9
00:00:25.020 --> 00:00:28.380
between an individual device known as a client

10
00:00:28.380 --> 00:00:29.880
and a central server.

11
00:00:29.880 --> 00:00:32.520
This ensures encrypted communication

12
00:00:32.520 --> 00:00:35.490
and network access for remote users.

13
00:00:35.490 --> 00:00:40.110
Next, a site-to-site VPN connects entire network securely,

14
00:00:40.110 --> 00:00:43.440
which allows branch offices or remote sites

15
00:00:43.440 --> 00:00:45.840
to communicate with a central network

16
00:00:45.840 --> 00:00:48.840
as part of the same logical network.

17
00:00:48.840 --> 00:00:52.890
Finally, an always-on VPN is a VPN connection

18
00:00:52.890 --> 00:00:54.330
that is always active,

19
00:00:54.330 --> 00:00:57.450
so it provides continuous, secure access

20
00:00:57.450 --> 00:01:00.750
and enforces access policies consistently,

21
00:01:00.750 --> 00:01:03.450
regardless of the user's location.

22
00:01:03.450 --> 00:01:06.900
Let's learn more about client-server, site-to-site,

23
00:01:06.900 --> 00:01:10.860
and always-on virtual private network configurations.

24
00:01:10.860 --> 00:01:13.920
Then let's analyze a virtual private network

25
00:01:13.920 --> 00:01:15.600
configuration file.

26
00:01:15.600 --> 00:01:17.910
First, we have client-server

27
00:01:17.910 --> 00:01:20.910
virtual private networks, or VPNs.

28
00:01:20.910 --> 00:01:23.370
A client-server VPN connects

29
00:01:23.370 --> 00:01:26.970
an individual client device to a central server

30
00:01:26.970 --> 00:01:28.590
through an encrypted tunnel.

31
00:01:28.590 --> 00:01:32.520
This type of VPN is ideal for remote access,

32
00:01:32.520 --> 00:01:35.520
ensuring that the client can securely connect

33
00:01:35.520 --> 00:01:39.030
to the organization's logical internal network

34
00:01:39.030 --> 00:01:40.710
from any location.

35
00:01:40.710 --> 00:01:44.040
The encryption used in client server VPNs

36
00:01:44.040 --> 00:01:45.930
typically involves protocols

37
00:01:45.930 --> 00:01:49.170
like internet protocol security, or IPsec,

38
00:01:49.170 --> 00:01:52.410
or transport layer security, or TLS.

39
00:01:52.410 --> 00:01:55.740
For example, when a remote employee connects

40
00:01:55.740 --> 00:01:59.610
to an organization's internal network using a VPN

41
00:01:59.610 --> 00:02:02.550
from their laptop, the connection is encrypted,

42
00:02:02.550 --> 00:02:05.340
meaning all data sent between the laptop

43
00:02:05.340 --> 00:02:09.300
and the server is protected from unauthorized access.

44
00:02:09.300 --> 00:02:13.440
The VPN server verifies the identity of the client

45
00:02:13.440 --> 00:02:15.480
through authentication methods

46
00:02:15.480 --> 00:02:18.300
like username-password combinations,

47
00:02:18.300 --> 00:02:20.220
or digital certificates.

48
00:02:20.220 --> 00:02:23.280
Once authenticated, the client has access

49
00:02:23.280 --> 00:02:27.660
to internal network resources such as files, applications,

50
00:02:27.660 --> 00:02:31.680
and databases, just as if they were physically connected

51
00:02:31.680 --> 00:02:33.540
to the corporate network.

52
00:02:33.540 --> 00:02:35.580
Second, we have site-to-site

53
00:02:35.580 --> 00:02:38.040
virtual private networks, or VPNs.

54
00:02:38.040 --> 00:02:40.560
A site-to-site VPN connects two

55
00:02:40.560 --> 00:02:44.250
or more entire networks together such as the network

56
00:02:44.250 --> 00:02:47.700
of a company's headquarters and its branch offices.

57
00:02:47.700 --> 00:02:51.240
This type of VPN operates at the router level,

58
00:02:51.240 --> 00:02:54.180
meaning that the VPN connection is established

59
00:02:54.180 --> 00:02:58.980
between the routers of two networks, not individual devices.

60
00:02:58.980 --> 00:03:01.830
Site-to-site VPNs are typically used

61
00:03:01.830 --> 00:03:04.950
to connect a geographically dispersed offices

62
00:03:04.950 --> 00:03:06.240
over the internet.

63
00:03:06.240 --> 00:03:10.350
The most common protocol used for site-to-site VPNs

64
00:03:10.350 --> 00:03:14.370
is the internet protocol security, or IPsec.

65
00:03:14.370 --> 00:03:18.120
IPsec encrypts and authenticates the data packets

66
00:03:18.120 --> 00:03:20.340
traveling between the sites.

67
00:03:20.340 --> 00:03:22.380
With a site-to-site VPN,

68
00:03:22.380 --> 00:03:26.370
all devices in one network can communicate securely

69
00:03:26.370 --> 00:03:28.620
with devices in the other network,

70
00:03:28.620 --> 00:03:32.130
making it appear logically as if both networks

71
00:03:32.130 --> 00:03:35.400
are part of the same local area network.

72
00:03:35.400 --> 00:03:38.460
This is particularly useful for companies

73
00:03:38.460 --> 00:03:41.100
with multiple office locations that need

74
00:03:41.100 --> 00:03:44.850
to securely share resources such as file servers,

75
00:03:44.850 --> 00:03:48.540
intranet applications, and internal services.

76
00:03:48.540 --> 00:03:51.690
Third and last, we have always-on

77
00:03:51.690 --> 00:03:54.540
virtual private networks, or VPNs.

78
00:03:54.540 --> 00:03:57.360
An always-on VPN is designed

79
00:03:57.360 --> 00:04:01.020
to provide a continuous, uninterrupted connection

80
00:04:01.020 --> 00:04:04.650
between a device and the organization's network.

81
00:04:04.650 --> 00:04:07.920
This type of VPN is typically configured

82
00:04:07.920 --> 00:04:11.280
to automatically establish the VPN connection

83
00:04:11.280 --> 00:04:13.680
whenever the device is turned on,

84
00:04:13.680 --> 00:04:16.650
regardless of where the user is located

85
00:04:16.650 --> 00:04:19.410
or what network they are connected to.

86
00:04:19.410 --> 00:04:23.370
Always-on VPNs are often used in environments

87
00:04:23.370 --> 00:04:26.460
where security is critical such as government

88
00:04:26.460 --> 00:04:28.590
or healthcare organizations.

89
00:04:28.590 --> 00:04:30.930
The continuous connection ensures

90
00:04:30.930 --> 00:04:34.290
that any traffic between the user's device

91
00:04:34.290 --> 00:04:37.650
and the corporate network is always encrypted.

92
00:04:37.650 --> 00:04:40.440
This can be accomplished using technologies

93
00:04:40.440 --> 00:04:43.980
like the internet protocol security, or IPsec,

94
00:04:43.980 --> 00:04:47.640
and transport layer security, or TLS.

95
00:04:47.640 --> 00:04:51.600
Always-on VPN connections can also integrate

96
00:04:51.600 --> 00:04:53.970
with multifactor authentication

97
00:04:53.970 --> 00:04:56.370
to verify the user's identity

98
00:04:56.370 --> 00:04:58.710
each time the connection is made.

99
00:04:58.710 --> 00:05:02.250
For example, an employee who moves between the office,

100
00:05:02.250 --> 00:05:04.650
home or a public wifi network

101
00:05:04.650 --> 00:05:06.960
will always have a secure connection

102
00:05:06.960 --> 00:05:08.760
to the company's resources

103
00:05:08.760 --> 00:05:11.280
without having to manually reconnect

104
00:05:11.280 --> 00:05:14.730
or worry about unprotected data transmission.

105
00:05:14.730 --> 00:05:19.730
Always-on VPNs also often include network access control

106
00:05:19.890 --> 00:05:23.460
to verify the security posture of the device

107
00:05:23.460 --> 00:05:27.450
before allowing full access to network resources.

108
00:05:27.450 --> 00:05:29.790
Now, let's look at and analyze

109
00:05:29.790 --> 00:05:33.720
an always-on open VPN virtual private network

110
00:05:33.720 --> 00:05:36.510
configuration file for an organization

111
00:05:36.510 --> 00:05:39.240
called ConnectUSCorp.

112
00:05:39.240 --> 00:05:44.240
Open on the screen in a notepad is our configuration file.

113
00:05:44.250 --> 00:05:47.040
Let's analyze some of its main parts.

114
00:05:47.040 --> 00:05:51.180
The first line specifies that this configuration file

115
00:05:51.180 --> 00:05:53.340
is for a VPN client.

116
00:05:53.340 --> 00:05:56.640
In a VPN setup, the client is the device

117
00:05:56.640 --> 00:05:59.070
that connects to the VPN server.

118
00:05:59.070 --> 00:06:02.490
By designating the configuration as client,

119
00:06:02.490 --> 00:06:06.570
the open VPN software knows that this is for connecting

120
00:06:06.570 --> 00:06:10.080
to a VPN server, not setting one up.

121
00:06:10.080 --> 00:06:13.710
The second line, dev tun indicates

122
00:06:13.710 --> 00:06:17.640
that the VPN will create a virtual network interface

123
00:06:17.640 --> 00:06:21.360
of type tun, which is a tunnel interface.

124
00:06:21.360 --> 00:06:25.230
A tunnel interface is a virtual network layer device

125
00:06:25.230 --> 00:06:27.300
that operates at the network layer

126
00:06:27.300 --> 00:06:30.960
and routes IP packets through the VPN tunnel.

127
00:06:30.960 --> 00:06:34.920
The third line defines the address, protocol,

128
00:06:34.920 --> 00:06:37.320
and port number used to connect

129
00:06:37.320 --> 00:06:41.070
to the ConnectUSCorp VPN server.

130
00:06:41.070 --> 00:06:45.570
Line five, resolve-retry infinite specifies

131
00:06:45.570 --> 00:06:47.760
that the client should keep retrying

132
00:06:47.760 --> 00:06:51.180
to resolve the server's domain name indefinitely

133
00:06:51.180 --> 00:06:55.710
in case the connection fails, or there is a DNS issue.

134
00:06:55.710 --> 00:06:59.010
This helps attempt to always make a connection.

135
00:06:59.010 --> 00:07:03.090
Line six, nobind tells the client to not bind

136
00:07:03.090 --> 00:07:06.690
to a specific local port when making the connection.

137
00:07:06.690 --> 00:07:10.830
This allows open VPN to use any available port,

138
00:07:10.830 --> 00:07:13.110
which is useful in client scenarios

139
00:07:13.110 --> 00:07:16.380
because the client typically does not need to listen

140
00:07:16.380 --> 00:07:18.150
for incoming connections.

141
00:07:18.150 --> 00:07:22.290
Now, let's scan through the rest of the configuration file

142
00:07:22.290 --> 00:07:24.900
and highlight just a few other things.

143
00:07:24.900 --> 00:07:29.900
Persist-key and persist-tun help maintain the VPN connection

144
00:07:30.390 --> 00:07:33.900
in case of network disruptions or changes.

145
00:07:33.900 --> 00:07:36.630
Specifically, persist-key

146
00:07:36.630 --> 00:07:40.440
keeps the VPN clients encryption keys intact

147
00:07:40.440 --> 00:07:44.880
and persist-tun keeps the network interface active.

148
00:07:44.880 --> 00:07:49.200
Next, ping-restart, and ping-timer-rem

149
00:07:49.200 --> 00:07:53.940
automatically reconnect if the VPN connection drops.

150
00:07:53.940 --> 00:07:57.690
Finally, the user nobody and group, nogroup

151
00:07:57.690 --> 00:08:02.010
drop privileges after connecting to the VPN server.

152
00:08:02.010 --> 00:08:06.060
Dropping privileges after a VPN connection is established

153
00:08:06.060 --> 00:08:08.760
minimizes the risk of exploits.

154
00:08:08.760 --> 00:08:11.910
Running the VPN client with lower privileges

155
00:08:11.910 --> 00:08:15.840
limits the potential damage if the client is compromised,

156
00:08:15.840 --> 00:08:18.870
following the principle of least privilege.

157
00:08:18.870 --> 00:08:22.110
This approach isolates the VPN process

158
00:08:22.110 --> 00:08:26.610
from critical system functions, reducing the attach surface.

159
00:08:26.610 --> 00:08:31.610
So remember, virtual private network, or VPN architecture

160
00:08:32.160 --> 00:08:34.350
extends access controls

161
00:08:34.350 --> 00:08:37.230
beyond traditional network boundaries.

162
00:08:37.230 --> 00:08:41.790
There are different types of VPNs such as client-server,

163
00:08:41.790 --> 00:08:44.970
site-to-site, and always-on VPNs.

164
00:08:44.970 --> 00:08:49.440
A client-server VPN connects a device to a central server

165
00:08:49.440 --> 00:08:53.580
through an encrypted tunnel, allowing secure remote access.

166
00:08:53.580 --> 00:08:57.990
Next, a site-to-site VPN connects entire networks together,

167
00:08:57.990 --> 00:09:00.000
enabling secure communication

168
00:09:00.000 --> 00:09:02.670
between offices over the internet.

169
00:09:02.670 --> 00:09:07.050
And finally, always-on VPNs maintain continuous,

170
00:09:07.050 --> 00:09:09.630
encrypted communications to a network,

171
00:09:09.630 --> 00:09:11.850
providing uninterrupted access

172
00:09:11.850 --> 00:09:15.843
and enforcing security policies at all times.