Security / VPN / Tunneling ========================== This section explores key protocols and technologies that secure communication over untrusted networks. These include encryption, tunneling, and segmentation techniques to ensure data confidentiality and integrity. .. toctree:: :maxdepth: 1 :hidden: :includehidden: SSH IPsec L2TP IKEv2 VPN DMZ Firewall MACsec_802_1ae .. list-table:: :widths: 20 60 20 :header-rows: 1 * - Protocol / Tech - Description - Use Case * - SSH (Secure Shell) - Secure remote access protocol using encryption and key authentication. *Supports tunneling, file transfer, and remote command execution.* - Secure remote login to servers and network devices. * - IPsec (Internet Protocol Security) - Suite of protocols for securing IP traffic via encryption and authentication. *Works in transport or tunnel mode.* - Site-to-site or remote-access VPNs. * - L2TP (Layer 2 Tunneling Protocol) - Tunneling protocol often combined with IPsec for encryption. *Encapsulates PPP frames for VPNs.* - Secure remote VPN access. * - IKEv2 (Internet Key Exchange v2) - Protocol for setting up security associations in IPsec. *Supports fast reconnection and mobility.* - Mobile VPNs, secure key negotiation. * - VPN (Virtual Private Network) - Encrypted connection over the internet that emulates a private network. *Utilizes protocols like IPsec, SSL, OpenVPN.* - Remote access to internal networks. * - DMZ (Demilitarized Zone) - Network segment exposed to external users but isolated from internal LAN. *Hosts public services like web or mail servers.* - Hosting internet-facing apps securely. * - Firewall - Security system that filters traffic based on rules. *Protects networks from unauthorized access.* - Enforcing access control between networks. * - MACsec (802.1AE) - Link-layer encryption for LAN security. *Encrypts Ethernet frames to prevent snooping.* - Securing Layer 2 segments in enterprise networks. .. tab-set:: .. tab-item:: SSH (Secure Shell) **RFC:** RFC 4251–4254 **Main Features:** - Encrypted remote access to devices and servers - Supports tunneling, port forwarding, and file transfers (SCP/SFTP) - Key-based authentication and session security **Use Cases:** - Secure system administration - File transfer over insecure networks **Alternative Protocols:** - Telnet (insecure, legacy) - RDP – for graphical remote access .. panels:: :container: container pb-4 :column: col-lg-12 p-2 **Let us learn more about SSH:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`SSH Version&RFC Details ` * :ref:`SSH Basic Setup on Ubuntu using IPv4 ` * :ref:`SSH Basic Setup on Ubuntu using IPv6 ` * :ref:`SSH Protocol Packet Details ` * :ref:`SSH Usecases ` * :ref:`SSH Basic Features ` * :ref:`SSH Feature : Secure Remote Access ` * :ref:`SSH Feature : Authentication Methods ` * :ref:`SSH Feature : Encryption ` * :ref:`SSH Feature : Port Forwarding ` * :ref:`SSH Feature : File Transfer ` * :ref:`SSH Feature : Command Execution ` * :ref:`SSH Feature : Session Management ` * :ref:`SSH Feature : Key Management ` * :ref:`SSH Feature : Access Control ` * :ref:`SSH Feature : Logging & Auditing ` * :ref:`Reference links ` .. button-link:: ./SSH.html :color: primary :shadow: :expand: Jump to "SSH" .. tab-set:: .. tab-item:: IPsec (Internet Protocol Security) **RFC:** RFC 4301 (Framework), RFC 4303 (ESP), RFC 2402 (AH) **Main Features:** - Encrypts and authenticates IP packets - Supports transport and tunnel mode - Often used in VPNs and secure WAN communication **Use Cases:** - Enterprise VPNs (site-to-site or remote access) - Secure communication between data centers **Alternative Protocols:** - SSL VPN (OpenVPN, WireGuard) - MACsec – for Layer 2 encryption .. panels:: :container: container pb-4 :column: col-lg-12 p-2 **Let us learn more about IPsec:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`IPsec Version&RFC Details ` * :ref:`IPsec Basic Setup on Ubuntu using IPv4 ` * :ref:`IPsec Basic Setup on Ubuntu using IPv6 ` * :ref:`IPsec Protocol Packet Details ` * :ref:`IPsec Usecases ` * :ref:`IPsec Basic Features ` * :ref:`IPsec Feature : Encryption ` * :ref:`IPsec Feature : Authentication ` * :ref:`IPsec Feature : Integrity Checking ` * :ref:`IPsec Feature : Transport Mode Support ` * :ref:`IPsec Feature : Key Exchange (IKE/IKEv2) ` * :ref:`IPsec Feature : Security Associations (SAs) ` * :ref:`IPsec Feature : Protocol Support (ESP & AH) ` * :ref:`IPsec Feature : NAT Traversal ` * :ref:`IPsec Feature : Replay Protection ` * :ref:`IPsec Feature : Flexible Algorithm Support ` * :ref:`Reference links ` .. button-link:: ./IPsec.html :color: primary :shadow: :expand: Jump to "IPsec" .. tab-set:: .. tab-item:: L2TP (Layer 2 Tunneling Protocol) **RFC:** RFC 2661 **Main Features:** - Tunnels PPP frames across IP networks - No built-in encryption (typically paired with IPsec) - Often used in legacy VPN setups **Use Cases:** - L2TP/IPsec VPN for remote users - Legacy Windows VPN infrastructure **Alternative Protocols:** - PPTP (deprecated) - OpenVPN, WireGuard .. panels:: :container: container pb-4 :column: col-lg-12 p-2 **Let us learn more about L2TP:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`L2TP Version&RFC Details ` * :ref:`L2TP Basic Setup on Ubuntu using IPv4 ` * :ref:`L2TP Basic Setup on Ubuntu using IPv6 ` * :ref:`L2TP Protocol Packet Details ` * :ref:`L2TP Usecases ` * :ref:`L2TP Basic Features ` * :ref:`L2TP Feature : Tunneling ` * :ref:`L2TP Feature : Session Multiplexing ` * :ref:`L2TP Feature : Control and Data Separation ` * :ref:`L2TP Feature : Protocol Independence ` * :ref:`L2TP Feature : UDP-Based Transport ` * :ref:`L2TP Feature : No Native Encryption ` * :ref:`L2TP Feature : AVP-Based Control Messages ` * :ref:`L2TP Feature : Reliability for Control Messages ` * :ref:`L2TP Feature : Tunnel and Session IDs ` * :ref:`L2TP Feature : Extensibility (L2TPv3) ` * :ref:`Reference links ` .. button-link:: ./L2TP.html :color: primary :shadow: :expand: Jump to "L2TP" .. tab-set:: .. tab-item:: IKEv2 (Internet Key Exchange v2) **RFC:** RFC 7296 **Main Features:** - Automates key exchange and session setup in IPsec - Supports EAP authentication - Handles mobility and reconnection efficiently **Use Cases:** - Mobile VPNs on iOS, Android - IPsec-based secure tunnels **Alternative Protocols:** - IKEv1 (legacy) - SSL/TLS for non-IPsec VPNs .. panels:: :container: container pb-4 :column: col-lg-12 p-2 **Let us learn more about IKEv2:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`IKEv2 Version&RFC Details ` * :ref:`IKEv2 Basic Setup on Ubuntu using IPv4 ` * :ref:`IKEv2 Basic Setup on Ubuntu using IPv6 ` * :ref:`IKEv2 Protocol Packet Details ` * :ref:`IKEv2 Usecases ` * :ref:`IKEv2 Basic Features ` * :ref:`IKEv2 Feature : Secure Key Exchange ` * :ref:`IKEv2 Feature : Authentication ` * :ref:`IKEv2 Feature : Security Associations (SAs) ` * :ref:`IKEv2 Feature : Mobility and Multihoming (MOBIKE) ` * :ref:`IKEv2 Feature : Session Resumption ` * :ref:`IKEv2 Feature : Message Fragmentation ` * :ref:`IKEv2 Feature : Traffic Selectors ` * :ref:`IKEv2 Feature : Encryption Agility ` * :ref:`IKEv2 Feature : Post-Quantum Readiness ` * :ref:`IKEv2 Feature : Extensibility via Payloads ` * :ref:`Reference links ` .. button-link:: ./IKEv2.html :color: primary :shadow: :expand: Jump to "IKEv2" .. tab-set:: .. tab-item:: VPN (Virtual Private Network) **Standard:** Conceptual (uses multiple protocols) **Main Features:** - Encrypts traffic across public networks - Protects identity and location - Supports multiple protocols (IPsec, SSL, WireGuard, etc.) **Use Cases:** - Secure remote access - Privacy and bypassing censorship **Alternative Protocols:** - MPLS VPN (carrier-grade) - Zero Trust models .. panels:: :container: container pb-4 :column: col-lg-12 p-2 **Let us learn more about VPNs:** .. button-link:: ./VPN.html :color: primary :shadow: :expand: Jump to "VPN" .. tab-set:: .. tab-item:: DMZ (Demilitarized Zone) **Standard:** Architecture Concept **Main Features:** - Isolated network segment for public-facing services - Restricts external access to internal LAN - Limits exposure and attack surface **Use Cases:** - Hosting public servers securely (e.g., web, mail) - Isolating test/dev environments **Alternative Technologies:** - Reverse proxy - Bastion hosts .. panels:: :container: container pb-4 :column: col-lg-12 p-2 **Let us learn more about DMZ:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`DMZ Version&RFC Details ` * :ref:`DMZ Basic Setup on Ubuntu using IPv4 ` * :ref:`DMZ Basic Setup on Ubuntu using IPv6 ` * :ref:`DMZ Protocol Packet Details ` * :ref:`DMZ Usecases ` * :ref:`DMZ Basic Features ` * :ref:`DMZ Feature : Network Segmentation ` * :ref:`DMZ Feature : Firewall Enforcement ` * :ref:`DMZ Feature : Public Service Hosting ` * :ref:`DMZ Feature : Access Control ` * :ref:`DMZ Feature : Intrusion Detection/Prevention ` * :ref:`DMZ Feature : Logging and Monitoring ` * :ref:`DMZ Feature : Reverse Proxy Support ` * :ref:`DMZ Feature : VPN Termination Point ` * :ref:`DMZ Feature : Redundancy and High Availability ` * :ref:`DMZ Feature : Cloud-Compatible Design ` * :ref:`Reference links ` .. button-link:: ./DMZ.html :color: primary :shadow: :expand: Jump to "DMZ" .. tab-set:: .. tab-item:: Firewall **RFC:** Varies (vendor implementation) **Main Features:** - Filters traffic using rules and policies - Supports stateless and stateful inspection - May inspect up to Layer 7 (Next-Gen Firewalls) **Use Cases:** - Enterprise network protection - Access control and segmentation **Alternative Technologies:** - Access Control Lists (ACLs) - Host-based firewalls .. panels:: :container: container pb-4 :column: col-lg-12 p-2 **Let us learn more about Firewalls:** .. button-link:: ./Firewall.html :color: primary :shadow: :expand: Jump to "Firewall" .. tab-set:: .. tab-item:: MACsec (802.1AE) **Standard:** IEEE 802.1AE **Main Features:** - Layer 2 (Ethernet) encryption - Protects against LAN sniffing and replay attacks - Point-to-point security on switches and routers **Use Cases:** - Securing enterprise LANs - Government and financial infrastructure **Alternative Technologies:** - IPsec – for higher-layer encryption - 802.1X – for authentication .. panels:: :container: container pb-4 :column: col-lg-12 p-2 **Let us learn more about MACsec:** * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`MACsec_802_1ae Version&RFC Details ` * :ref:`MACsec_802_1ae Basic Setup on Ubuntu using IPv4 ` * :ref:`MACsec_802_1ae Basic Setup on Ubuntu using IPv6 ` * :ref:`MACsec_802_1ae Protocol Packet Details ` * :ref:`MACsec_802_1ae Usecases ` * :ref:`MACsec_802_1ae Basic Features ` * :ref:`MACsec_802_1ae Feature : Layer 2 Encryption ` * :ref:`MACsec_802_1ae Feature : Data Integrity and Authentication ` * :ref:`MACsec_802_1ae Feature : AES-GCM Encryption ` * :ref:`MACsec_802_1ae Feature : Replay Protection ` * :ref:`MACsec_802_1ae Feature : Per-Hop Security ` * :ref:`MACsec_802_1ae Feature : No IP Dependency ` * :ref:`MACsec_802_1ae Feature : Compatibility with 802.1X ` * :ref:`MACsec_802_1ae Feature : Minimal Latency Overhead ` * :ref:`Reference links ` .. button-link:: ./MACsec_802_1ae.html :color: primary :shadow: :expand: Jump to "MACsec"