Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 50
69. Lecture-69: Introduction to Virtual Private Private Network.
Now, coming to BP in what is VPN, virtual private network means whatever we are doing, this is virtual and private and we are using network to make our network.
So, what actually we are creating our private network. And this concept, we call them VPN.
So, basically using unsecure. You know, Internet and make or secured part.
So, this concept, we call them VPN, not only not all European are secure, there are many weepin which is sending data and clear text. But most of the time we want to use VPN to send our traffic in secure way.
So, basically there are two possibilities, either to buy your own lease line so nobody will come your line and then you can send and receive data and protection, whatever. Nobody can come to your lease line, but they will charge you much and it’s cost.
So, the cheap solution is Libyan, because the Internet is everywhere at home and office, everywhere. You just need to be Internet based. And if you can create a VPN tunnel you want from me to you, you can create the Internet and went to as well and beat as well and Lennix as well and Routier, as well and crèches, as well and anything which they support there. You can create a VPN even in Rindo if you want to be in there. We’ve been searching. And you will see many European protocol want to warn in all these.
So. Because it’s cheap solution weepin, it’s just like our Internet connection and public IP either dynamically they can get the IP and using a DIDON is.
So, basically we use VPN to provide privacy and data integrity to hide the data so that nobody know anything between. Let me give an example here. Suppose, you are in the board, okay, and what you are visible to everyone. Anybody can hit you, they can fire on you, they can do anything, they can damage you because you are visible.
So, water is like our Internet. And when you are sending your data and clear text, so maybe hacker can hack you and they can take your data and they can damage your network and they can download services and they can get your sensitive data.
So, this is one method if you are sending everything politics.
So, what is the solution? We have a solution to use submarine which is underwater. Again, that water is the Internet, but now you are protected. Nobody can see you. You are not visible like this. You are going underwater and also underwater. Your data is encrypted. Nobody can hack you now. Nobody can see anything. Who is inside this submarine? This is called VPN either. When you are shifting from one home to another home and you are sober and everything, you are how stuff you put them in a truck and that vehicle is going okay, but is inside. It’s not visible to anyone.
So, this robot is like our Internet and this is your packet, but insert is encrypted.
So, this is a weapon concept to use public transport. This is a public transport. Either you can buy your own car to put your stuff at home. Now your stuff is only twenty dollars and you want to buy twenty thousand car to take your data from one place to another, which is not a good decision. This why we never want a leased line, because it’s so costly.
So, that’s why we use VPN, we use Internet like public transport, like a water to encrypt our data and send to the other party. Now we can be classified in many, but mostly two of them are from side to side with open and remote access VPN Iwon that can be classified based on or inside their forward. We placea when we be and we will be in and it can be bilayer three. I will be angry with B and B and will be an assassin. We’ve been able to DPN also can be loyal to VPN into TPP, not just truly and Wendle people TPP and friendly adiam. It can be classified on trust level. Internet will be an extra and it will be a remote VPN and can be in traditional VPN frame relay and Atum and could be by provider like MPL BGB insipient. It can be by sation like SSL. We’ve been and will be, it can be secure, will be entrusted with being a hybrid VPN and it can be glassie where there’s a clear text VPN, there are clear backflipping. as well emplace replaced giammetti. All these sending data and clear text now coming. Why we need a weepie and why. What is the advantages.
So, cost saving definitely line will cost too much scalability, security, compatibility, better performance, flexibility, reliability. You can add any time any branch gissen to three click and your weapon will be ready. Also security. It can provide you while you secure a weapon so that nobody can attack on you. Nobody can do men in the middle attack. Nobody can spoof your data can because if you are not using the pin, your data will be sending clear text and when you send in clear text, anybody can see. Now and for the Great Firewall, we can configure too many weapons, the most famous one is side to side weapon and the other one is a remote user. You remote access will be in side to side to me to learn to learn weepin how to spell VPN. There are so many name absurd to suburbian. If you want to connect one branch office to main office, we call them cybersecurity. And if you want to connect to remote site with each other, we call them to start with BEON. If you want to connect Central SA to remote Saadeh, we connect, we call them side to side with beon like these so far together they will connect this branch to this branch and we will remote user to start with being like your mobile phone, your Android phone, your Mac operating system, your window lennix, your iPad, iPod, you can connect to your network, your other office network. This is called remote VPN. You can remotely connect from home, from office, from anywhere, from on the move from God, from anywhere.
So, side to side would be and we call them learn to learn VPN how to spot people, but private to private or public network. We plan to public network VPN to serve people and so many them you can give them and remote access. I already told you then in remote access VPN there are further two. Category one is to install an application like this one like Global Provectus Park, Palo Alto.
So, for Biggart has their own software to install and also you can use SSL based VPN. You just need a browser.
So, client base VPN and client list VPN and remote access VPN. Then you have two more category then coming to prove the hold up will be. And there are so many protocol up. We’ve been to point protocol to the forwarding protocol, latitudinal protocol, genetic routing, encapsulation protocol, multi protocol, label switching ampules, IP and SSL. But these two are more famous. But you have so many protocol for encryption. They have so many metadata. We already discussed these three to is a yes, 120 is 128, a yes 192 and A is 256 for harshing. They have QA security algorithm and misjudges and for authentication. They appreciate key and digital certificate. This was European. Okay.
70. Lecture-70: Policy-Based and Route-Based VPNs Theory.
No one bothered to file while you can configure a policy based VPN and reload based VPN. And both policy based and broad based weapon, both phases are there, you can configure them is normal. But enshroud best weapon, there will be interface created automatically, an interface will be created, but in policy based there will be no interface. We will see both in the lab, then you will feel the difference. What is the difference between policy based and broad based VPN? For our best weapon, you need to create two policy. When we do the labor, I will mention you. What is this two policy security policy? Means one policy from land to weapon and another from weapon to learn your local area network.
So, far, our best weapon you need to create two policy. But for policy based weapons, you just need only one policy. Which will work for both Badakshan. Broad based, also called interface based VPN, either tunnel based VPN and policy based VPN. No, this is not this is an interface based, policy based VPN we we’ve called internal based VPN.
So, here we required to policy to allow the traffic in here, we require only one policy to allow the traffic. In both cases, we need to create phase one and phase two will be an. These are the major difference between these two policy based and Robosapien, both support a net and transparent more. We need more and transparent more, you remember.
So, policy can be configured in both more, but broad based. We can only be configured in more because this is broad based, so intransparent it will not work at all to people. What I support, yes, voter support, Jeary support, no policy based, not support, but broad based support them security policy requirement as required policy. And it’s also required policy. It’s required only one policy and this requires a separate policy for every connection. That’s the major difference between these two. Otherwise, the end of the day is almost similar. Now, before going to labor, we need to know some terminologies which we will face and we will do labor and those who are controller will be in there. As you know, you can configure many VPN in for the Great Firewall, many option for me being one of them Aussie Aussie VPN, which we call them overlay controller VPN. This is like a cloud with, you know, if you are all weeping, sorry, all for the Great Firewall is registered and they are in the public cloud, so you can connect them directly. And they will learn each other automatically. This is not our topic, but we will see this terminology there.
So, maybe you will ask, what is this one? So, that’s what I’m telling you.
So, you can configure this type of VPN as well, but require a license and it’s required a proper the year to be registered. And another thing which we will face when we configure weepin in the lab that Blackhall wrote what is called out, you know, and Cisco and Linux, we also use the same nul. We use NUL, you know, and you are to be summarized that there they created automatically null interface.
So, whenever the traffic came and there is no one to receive them.
So, the interface will destroy them. The same cases year Blackhall wrote suppose one Sarita’s down and and VPN and the other side is sending the data again and again.
So, this side will resume but cannot respond.
So, what they will do in this case, this Blackwall drought will destroy those bechard.
So, in this way, there will be no burden on your firewall, on your network, because there is nobody to receive the data.
So, this for this purpose, we will use Blackwall Road and the administrative distance is the last one 254. We already discussed administrative distance. We will give them the last one if nobody is there to receive the data.
So, it will be destroyed by this black hole road. Then another thing which we do, we will see repent unblurred. We burn template is like a visit. Just do next, next, next. And you will configure weepin and two minutes you can configure VPN side to side with Bienen for the Great Firewall if you are using VPN template.
So, template is nothing but a visit which you click next, next, next and predefine everything and you will configure weapons be insert either remote access VPN.
So, this is called VPN template. Another thing which really do a we will see that beyond detection that we know the Burmese, your buyer, your neighbor and detection means to detect so that pure detection may be your other side up firewall is down side to side with be and you have Buzard, you configure them, but one side firewall is done.
So, how this firewall will not.
So, in this way, you have to enable that bearded action, one is on Idol and the other is OnDemand. And ideal means whenever you are not using VPN tunnel side to side, and so they will keep them on Unidan whenever the VPN is empty and nobody is using, sending and receiving data so that better detection if you enable them and choose an ideal situation, so they will send traffic, you know, they will re-establish the VPN will make them on the. No, no, no, don’t sleep. Because if you are not using to to start it will be done because they have a lifetime reset lifetime that if nobody is used it will be done.
So, when you start sending through, it will up. But if you say no, no, I don’t want to don them so you can use your protection that don’t be sleep.
So, one is an and others and demand and demand means on your demand. Whatever you want, you can make them on.
So, we will see this type of option is another option, we will see net reversal, what is next? Also, some time when you create side to side will be in between two sides because this is a site and this the site, maybe there is a downturn in the middle, either here in that order in the middle. And this is Internet cloud.
So, net and there is negligible net is configured on this road. But your firewall is here and your firewall is here behind the counter. But in there is no need configured. We already discussed it in so many. And so and so if you are not able to what to.
So, it will destroy here because it will change the picture. They will say, okay, wait, let me change your IP to another IP. This is an.
So, when you are changing something, we will drop the bigger. This the beauty of the VPN that whatever you send is has to be an issue. Same everything should need change over IP.
So, what the hell is left. The o the integrity is gone.
So, when the pigott has been received by this firewall, they will destroy them. They will say no, this is change because the original hedge and now the receiving ash is different.
So, what is the solution in this case? Because it will change. The IP is we know is changing the IP.
So, for this purpose we need net result.
So, we will enable net to understand to bypass the net devices and reach so the packet will be not modified and they will accept the packet and distributing this received so far this purpose. We are using that also in charge. But I told you then there is a need to keep a low frequency for this purpose. We can enable keep a low frequency means the time. You can enable that feature so that they can check after a while frequency of travel frequently. Another thing which we will see in the lab is export authentication means extending authentication. This is a new concept for a dial up line user. This is out of topic. But I’m just telling you, we will see. Maybe you will ask, what is this like a mechanism and radius and live for this type of authentication? If you want to authenticate a user using the remote dial up line so you can use its authentication method, as well, which is normally not an action you will not see in real world, but it’s there.
So, this is some terminology we can discuss.