Title: Setting Up a Virtual Private Network
1Setting Up a Virtual Private Network
2Learning Objectives
- Understand the components and essential
operations of virtual private networks (VPNs) - Describe the different types of VPNs
- Create VPN setups such as mesh or hub-and-spoke
configurations - Choose the right tunneling protocol for your VPN
- Enable secure remote access for individual users
via a VPN - Observe best practices for configuring and
maintaining VPNs effectively
3VPNs
- Goal Provide a cost-effective and secure way to
connect businesses to one another and remote
workers to office networks - Encapsulate and encrypt data being transmitted
- Use authentication to ensure that only approved
users can access the VPN - Provide a means of secure point-to-point
communications over the public Internet
4VPN Components and Operations
- Essential components that make up a VPN
- How VPNs enable data to be accessed securely
- Advantages and disadvantages of using VPNs
compared to leased lines - How VPNs extend network boundaries
5Components within VPNS
- Hardware devices
- Can have two endpoints or terminators
- Can have a (virtual) tunnel
- Software that performs security-related activities
6(No Transcript)
7(No Transcript)
8(No Transcript)
9Devices That Form the Endpoints of the VPN
- Server running on a tunneling protocol
- VPN appliance
- A firewall/VPN combination
- A router-based VPN
10Essential Activities of VPNs
- IP encapsulation
- Data payload encryption
- Encrypted authentication
11IP Encapsulation
- Provides a high degree of protection
- VPN encapsulates actual data packets within
packets that use source and destination addresses
of VPN gateway - Source and destination information of actual data
packets are completely hidden - Because a VPN tunnel is used, source and
destination IP addresses of actual data packets
can be in private reserved blocks not usually
routable over the Internet
12Data Payload Encryption
- Transport method
- Tunnel method
13Encrypted Authentication
- Hosts are authenticated by exchanging long blocks
of code (keys) that are generated by complex
formulas (algorithms) - Types of keys that can be exchanged
- Symmetric keys
- Asymmetric keys
14Advantages and Disadvantages of VPNs
15VPNs Extend a Networks Boundaries
- To deal with the increased risk caused by VPN
connections - Use two or more authentication tools to identify
remote users - Integrate virus protection
- Set usage limits
16Types of VPNs
- Site-to-site VPN
- Links two or more networks
- Client-to-site VPN
- Makes a network accessible to remote users who
need dial-in access
17VPN Appliances
- Hardware devices specially designed to terminate
VPNs and join multiple LANs - Permit connections, but do not provide other
services (eg, file sharing, printing) - Enable connections of more tunnels and users than
software systems - Examples
- SonicWALL series
- Symantec Firewall/VPN appliance
18Advantage of Using Hardware Systems
19Software VPN Systems
- Generally less expensive than hardware systems
- Tend to scale better for fast-growing networks
- Examples
- F-Secure VPN
- Novell BorderManager VPN services
- Check Point FireWall-1
20VPN Combinations of Hardware and Software
- Cisco 3000 Series VPN Concentrator
- Gives users the choice of operating in
- Client mode, or
- Network extension mode
21VPN Combinations of Different Vendors Products
- Challenge Get all pieces to talk to and
communicate with one another successfully - Pick a standard security protocol that is widely
used and that all devices support(eg, IPSec)
22VPN Setups
- If two participants
- Configuration is relatively straightforward in
terms of expense, technical difficulty, and time - If three or more, several options
- Mesh configuration
- Hub-and-spoke arrangement
- Hybrid setup
23Mesh Configuration
- Connects multiple computers that each have a
security association (SA) with all other machines
in the VPN
24(No Transcript)
25Hub-and-Spoke Configuration
- A single VPN router maintains records of all SAs
- Any device that wishes to participate in the VPN
need only connect to the central router - Easy to increase size of the VPN
- The requirement that all communications flow into
and out of the central router slows down
communications
26(No Transcript)
27Hybrid Configuration
- Benefits from the strengths of eachscalability
of hub-and-spoke option and speed of mesh option - Use mesh for most important branches of the
network and critical communications - Use hub-and-spoke for overseas branches and for
new branch offices
28Configurations and Extranet and Intranet Access
- Extranet
- Enable firewalls and anti-virus software for each
remote user or business partner - Intranet
- Establish usage limits
- Set up anti-virus and firewall protection
29Configurations and Extranet and Intranet Access
30Tunneling Protocols Used with VPNs
- IPSec/IKE
- PPTP (Point-to-Point Tunneling Protocol)
- L2TP (Layer 2 Tunneling Protocol)
- PPP over SSL (Point-to-Point Protocol over Secure
Sockets Layer) - PPP over SSH (Point-to-Point Protocol over Secure
Shell)
31IPSec/IKE
- IPSec provides
- Encryption of the data part of packets
- Authentication
- Encapsulation between two VPN hosts
- Two security methods (AH and ESP)
- Capability to work in two modes (transport and
tunnel) - IKE provides
- Exchange of public and private keys
- Ability to determine which encryption protocols
should be used to encrypt data that flows through
VPN tunnel
32PPTP
- Developed by Microsoft for granting VPN access to
remote users over dial-up connections - Uses Microsoft Point-to-Point Encryption (MPPE)
to encrypt data - Useful if support for older clients is needed
- Compatible with Network Address Translation (NAT)
- Replaced by L2TP
33L2TP
- Extension to PPP that enables dial-up users to
establish a VPN connection to a remote access
server - Uses IPSec to encrypt data
- Incompatible with NAT but provides a higher level
of encryption and authentication
34PPP Over SSL andPPP Over SSH
- Two UNIX based methods for creating VPNs
- Both combine existing tunnel system (PPP) with a
way of encrypting data in transport (SSL or SSH) - SSL
- Public key encryption system used to provide
secure communications over the Web - SSH
- UNIX secure shell that uses secret key encryption
(pre-shared key) to authenticate participants
35When to Use Different VPN Protocols
36Enabling Remote Access Connections within VPNs
- Issue the user VPN client software
- Make sure users computer is equipped with
anti-virus software and a firewall - May need to obtain a key for the remote user if
you plan to use IPSec to make VPN connection as
well
37Configuring the Server
- Major operating systems include ways of providing
secure remote access - Linux
- IP Masquerade feature
- Windows XP and 2000
- Network Connections Wizard
38Configuring the Server
39Configuring the Server
40Configuring Clients
- Involves either installing and configuring VPN
client software or using the Network Connection
Wizard - Client workstation must be protected by a firewall
41VPN Best Practices
- Security policy rules that specifically apply to
the VPN - Integration of firewall packet filtering with VPN
traffic - Auditing the VPN to make sure it is performing
acceptably
42The Need for a VPN Policy
- Identify who can use the VPN
- Ensure that all users know what constitutes
proper use of the VPN - Whether and how authentication is to be used
- Whether split tunneling is permitted
- How long users can be connected at any one
session - Whether virus protection is included
43Packet Filtering and VPNs
- Encryption and decryption of data can be
performed either outside the packet-filtering
perimeter or inside it
44(No Transcript)
45(No Transcript)
46PPTP Filter Rules
47L2TP and IPSecPacket-Filtering Rules
48Auditing and Testing the VPN
- Time consuming
- Choose client software that is easy for end users
to install on their own to save you time and
effort