1 / 17

Virtual Private Networks

Virtual Private Networks. Version B.00 H7076S Module 2 Slides. K-CLASS. The Security Problem with IP Today. Bad Guy. Server in Chicago. Users in San Francisco. It is trivial to snoop on Internet traffic, including passwords sent over the network.

jaron
Download Presentation

Virtual Private Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtual Private Networks Version B.00 H7076S Module 2 Slides

  2. K-CLASS The Security Problem with IP Today Bad Guy Server in Chicago Users in San Francisco • It is trivial to snoop on Internet traffic, including passwords sent over the network. • It is fairly easy to forge IP packets and impersonate another user or machine. • Malicious people exist who actually do these things.

  3. Encrypted Link Non-Encrypted Link What Is a Virtual Private Network? This mobile client uses encrypted links when communicating w/ systems in site A and B. Legend VPN Server for Site B VPN Server for Site A Internet Site A Intranet Site B Intranet The nodes in site A and B use non- encrypted links when performing Intranet communications. The nodes use encrypted links when communicating across the Internet.

  4. Types of Virtual Private Networks Types of VPNs HP Solution • Network-to-Network • Replace expensive dedicated leased line WAN charges for site-to-site data connectivity • Network-to-Host (Remote Access) • Replace expensive modem pools, ISDN per-minute charges • Host-to-Host • End-to-End security to protect sensitive data for intra- or inter-network communications e-Firewall Extranet IPSec/9000

  5. K-CLASS K-CLASS K-CLASS HP Solutions for VPNs Firewall and Encryption Devices • e-Firewall The Global Internet Business Partner • HP-UX IPSec/9000 Corporate HQ Site Branch Host • Extranet VPN • e-Firewall with • Mobile client option Laptop computer Encrypted “tunnels”

  6. K-CLASS K-CLASS K-CLASS K-CLASS Network-to-Network VPNs Firewall and Encryption Devices Business Partner The Global Internet Field Office Corporate Headquarters Overseas Site Multiple Encrypted “tunnels” Value Prop: Low Cost, Quick Setup of WAN Connectivity

  7. VPN Gateway Device K-CLASS ISDN or DSL Connections Corporate HQ Site Dialup Line All connections initiated by remote user Encryption occurs on Software Client Remote Access VPNs The Global Internet Mobile Laptop User

  8. Host-to-Host VPNs Business Partner The Global Internet Corporate HQ Site DMZ • End-to-End Security • Within the Enterprise • Through the Internet

  9. VPN Software Products Advantages Product Disadvantages Application Public Domain S/W(socks) hp Extraet VPN Close integration with the application May need to modify the application Level Security Network hp IPFilter/9000 hp IPSec/9000 hp e-Firewall May need to modify firewall configuration No need to modify applications Level Security Link Level Security PPTP, L2TP Easy to implement Not scalable

  10. System Firewall needed!! VPN Gateway Device K-CLASS ISDN or DSL or Dial up Connections The Global Internet Corporate HQ Site If I can get into their host, maybe I can go through their VPN. I wonder which ports are open? They probably have no firewall. Hacker Why a System Firewall?

  11. Hewlett-Packard’s Solution • HP IPFilter/9000 – B9901AA • Features supported by Hewlett-Packard: • Full-fledged statefull inspection firewall • Free product • Workstations and servers • HP-UX 11.0 and 11i • Features not supported by Hewlett-Packard • (features supported in public domain): • Perimeter firewall • Network address translation

  12. Intranet Packets destined for our machine not part of a VPN connection that we initiated. System Firewall Installed IPFilter rules pass or block depending upon the rules. Bit Bucket Matched pass rules Matched block rules How a System Firewall Works

  13. Hardware and Software Requirements • Hewlett-Packard 9000 series 800 or 700 • HP-UX 11.0 or 11i operating system • Dynamically loadable kernel module support • Commands to verify: • #uname –a • #kmsystem –q dlkm

  14. Patches Required • PHNE_22397 (or newer replacement for 32-bit or 64 bit 11.0) • PHCO_22899 (or newer replacement for 32-bit 11.0) • PHCO_22989 (or newer replacement for 32-bit 11i) • Command to verify: • #swlist –l product patch_name

  15. Installation • Use SD-UX to install product number B9901AA • Available on application CD AP0301 • Command to use: • #swinstall • Configuration file and start-up scripts installed: • /etc/rc.config.d/ipfconf • /sbin/init.d/pfilboot • /sbin/init.d/ipfboot

  16. Verification of Installation To verify the product was installed correctly after reboot: #kmadmin –s #ps –ef | grep ipmon Logs to look at if installation unsuccessful: /etc/rc.log /var/adm/sw/swagent.log /var/adm/sw/swinstall.log

  17. Filter Rules • Rules are processed from top to bottom • Last match takes effect • Installing and Administering IPFilter/9000 or the Public Domain HOWTO document for detailed explanations. • Rule File: • /etc/opt/ipf/ipf.conf • Default file is empty, implied contents: • pass in all • pass out all

More Related