Setting Up a Virtual Private Network - PowerPoint PPT Presentation

1 / 48
About This Presentation
Title:

Setting Up a Virtual Private Network

Description:

IP Encapsulation. Provides a high degree of protection ... Hardware devices specially designed to terminate VPNs and join multiple LANs ... – PowerPoint PPT presentation

Number of Views:98
Avg rating:3.0/5.0
Slides: 49
Provided by: annek162
Category:

less

Transcript and Presenter's Notes

Title: Setting Up a Virtual Private Network


1
Setting Up a Virtual Private Network
  • Chapter 9

2
Learning Objectives
  • Understand the components and essential
    operations of virtual private networks (VPNs)
  • Describe the different types of VPNs
  • Create VPN setups such as mesh or hub-and-spoke
    configurations
  • Choose the right tunneling protocol for your VPN
  • Enable secure remote access for individual users
    via a VPN
  • Observe best practices for configuring and
    maintaining VPNs effectively

3
VPNs
  • Goal Provide a cost-effective and secure way to
    connect businesses to one another and remote
    workers to office networks
  • Encapsulate and encrypt data being transmitted
  • Use authentication to ensure that only approved
    users can access the VPN
  • Provide a means of secure point-to-point
    communications over the public Internet

4
VPN Components and Operations
  • Essential components that make up a VPN
  • How VPNs enable data to be accessed securely
  • Advantages and disadvantages of using VPNs
    compared to leased lines
  • How VPNs extend network boundaries

5
Components within VPNS
  • Hardware devices
  • Can have two endpoints or terminators
  • Can have a (virtual) tunnel
  • Software that performs security-related activities

6
(No Transcript)
7
(No Transcript)
8
(No Transcript)
9
Devices That Form the Endpoints of the VPN
  • Server running on a tunneling protocol
  • VPN appliance
  • A firewall/VPN combination
  • A router-based VPN

10
Essential Activities of VPNs
  • IP encapsulation
  • Data payload encryption
  • Encrypted authentication

11
IP Encapsulation
  • Provides a high degree of protection
  • VPN encapsulates actual data packets within
    packets that use source and destination addresses
    of VPN gateway
  • Source and destination information of actual data
    packets are completely hidden
  • Because a VPN tunnel is used, source and
    destination IP addresses of actual data packets
    can be in private reserved blocks not usually
    routable over the Internet

12
Data Payload Encryption
  • Transport method
  • Tunnel method

13
Encrypted Authentication
  • Hosts are authenticated by exchanging long blocks
    of code (keys) that are generated by complex
    formulas (algorithms)
  • Types of keys that can be exchanged
  • Symmetric keys
  • Asymmetric keys

14
Advantages and Disadvantages of VPNs
15
VPNs Extend a Networks Boundaries
  • To deal with the increased risk caused by VPN
    connections
  • Use two or more authentication tools to identify
    remote users
  • Integrate virus protection
  • Set usage limits

16
Types of VPNs
  • Site-to-site VPN
  • Links two or more networks
  • Client-to-site VPN
  • Makes a network accessible to remote users who
    need dial-in access

17
VPN Appliances
  • Hardware devices specially designed to terminate
    VPNs and join multiple LANs
  • Permit connections, but do not provide other
    services (eg, file sharing, printing)
  • Enable connections of more tunnels and users than
    software systems
  • Examples
  • SonicWALL series
  • Symantec Firewall/VPN appliance

18
Advantage of Using Hardware Systems
19
Software VPN Systems
  • Generally less expensive than hardware systems
  • Tend to scale better for fast-growing networks
  • Examples
  • F-Secure VPN
  • Novell BorderManager VPN services
  • Check Point FireWall-1

20
VPN Combinations of Hardware and Software
  • Cisco 3000 Series VPN Concentrator
  • Gives users the choice of operating in
  • Client mode, or
  • Network extension mode

21
VPN Combinations of Different Vendors Products
  • Challenge Get all pieces to talk to and
    communicate with one another successfully
  • Pick a standard security protocol that is widely
    used and that all devices support(eg, IPSec)

22
VPN Setups
  • If two participants
  • Configuration is relatively straightforward in
    terms of expense, technical difficulty, and time
  • If three or more, several options
  • Mesh configuration
  • Hub-and-spoke arrangement
  • Hybrid setup

23
Mesh Configuration
  • Connects multiple computers that each have a
    security association (SA) with all other machines
    in the VPN

24
(No Transcript)
25
Hub-and-Spoke Configuration
  • A single VPN router maintains records of all SAs
  • Any device that wishes to participate in the VPN
    need only connect to the central router
  • Easy to increase size of the VPN
  • The requirement that all communications flow into
    and out of the central router slows down
    communications

26
(No Transcript)
27
Hybrid Configuration
  • Benefits from the strengths of eachscalability
    of hub-and-spoke option and speed of mesh option
  • Use mesh for most important branches of the
    network and critical communications
  • Use hub-and-spoke for overseas branches and for
    new branch offices

28
Configurations and Extranet and Intranet Access
  • Extranet
  • Enable firewalls and anti-virus software for each
    remote user or business partner
  • Intranet
  • Establish usage limits
  • Set up anti-virus and firewall protection

29
Configurations and Extranet and Intranet Access
30
Tunneling Protocols Used with VPNs
  • IPSec/IKE
  • PPTP (Point-to-Point Tunneling Protocol)
  • L2TP (Layer 2 Tunneling Protocol)
  • PPP over SSL (Point-to-Point Protocol over Secure
    Sockets Layer)
  • PPP over SSH (Point-to-Point Protocol over Secure
    Shell)

31
IPSec/IKE
  • IPSec provides
  • Encryption of the data part of packets
  • Authentication
  • Encapsulation between two VPN hosts
  • Two security methods (AH and ESP)
  • Capability to work in two modes (transport and
    tunnel)
  • IKE provides
  • Exchange of public and private keys
  • Ability to determine which encryption protocols
    should be used to encrypt data that flows through
    VPN tunnel

32
PPTP
  • Developed by Microsoft for granting VPN access to
    remote users over dial-up connections
  • Uses Microsoft Point-to-Point Encryption (MPPE)
    to encrypt data
  • Useful if support for older clients is needed
  • Compatible with Network Address Translation (NAT)
  • Replaced by L2TP

33
L2TP
  • Extension to PPP that enables dial-up users to
    establish a VPN connection to a remote access
    server
  • Uses IPSec to encrypt data
  • Incompatible with NAT but provides a higher level
    of encryption and authentication

34
PPP Over SSL andPPP Over SSH
  • Two UNIX based methods for creating VPNs
  • Both combine existing tunnel system (PPP) with a
    way of encrypting data in transport (SSL or SSH)
  • SSL
  • Public key encryption system used to provide
    secure communications over the Web
  • SSH
  • UNIX secure shell that uses secret key encryption
    (pre-shared key) to authenticate participants

35
When to Use Different VPN Protocols
36
Enabling Remote Access Connections within VPNs
  • Issue the user VPN client software
  • Make sure users computer is equipped with
    anti-virus software and a firewall
  • May need to obtain a key for the remote user if
    you plan to use IPSec to make VPN connection as
    well

37
Configuring the Server
  • Major operating systems include ways of providing
    secure remote access
  • Linux
  • IP Masquerade feature
  • Windows XP and 2000
  • Network Connections Wizard

38
Configuring the Server
39
Configuring the Server
40
Configuring Clients
  • Involves either installing and configuring VPN
    client software or using the Network Connection
    Wizard
  • Client workstation must be protected by a firewall

41
VPN Best Practices
  • Security policy rules that specifically apply to
    the VPN
  • Integration of firewall packet filtering with VPN
    traffic
  • Auditing the VPN to make sure it is performing
    acceptably

42
The Need for a VPN Policy
  • Identify who can use the VPN
  • Ensure that all users know what constitutes
    proper use of the VPN
  • Whether and how authentication is to be used
  • Whether split tunneling is permitted
  • How long users can be connected at any one
    session
  • Whether virus protection is included

43
Packet Filtering and VPNs
  • Encryption and decryption of data can be
    performed either outside the packet-filtering
    perimeter or inside it

44
(No Transcript)
45
(No Transcript)
46
PPTP Filter Rules
47
L2TP and IPSecPacket-Filtering Rules
48
Auditing and Testing the VPN
  • Time consuming
  • Choose client software that is easy for end users
    to install on their own to save you time and
    effort
Write a Comment
User Comments (0)
About PowerShow.com