dalila
Uploaded by
29 SLIDES
469 VIEWS
300LIKES

Protecting Extranet Communications: Key VPN Protocols and Security Practices

DESCRIPTION

This chapter explores critical elements for securing extranet communications, focusing on various VPN protocols such as PPTP and L2TP/IPSec. It discusses authentication methods, remote access policies (RAPs), and quarantine control to verify client security before granting access. Best practices for remote access and guidelines for optimizing VPN architectures to reduce latency are highlighted. Additionally, it addresses demand-dial links and the effective use of the Connection Manager Administration Kit (CMAK) for deployment.

1 / 29

Download Presentation

Protecting Extranet Communications: Key VPN Protocols and Security Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

Playing audio...

  1. Chapter 11 PROTECTING EXTRANET COMMUNICATIONS

  2. Chapter 11: Protecting Extranet Communications VPN PROTOCOLS • Point-to-Point Tunneling Protocol (PPTP): • Not standards-based • Linux and Mac software available • Layer 2 Transport Protocol over Internet Protocol Security (L2TP/IPSec): • Standards-based • Linux and Mac software commonly available • Early versions of Microsoft Windows require Windows Dial-Up Networking version 1.4 Upgrade

  3. Chapter 11: Protecting Extranet Communications VPN AUTHENTICATION METHODS • EAP • MS-CHAP • CHAP • SPAP • PAP • Pre-shared keys • Unauthenticated access

  4. Chapter 11: Protecting Extranet Communications CONNECTION MANAGER ADMINISTRATION KIT (CMAK) • Simplify deployment of remote access client configurations: • Routing table updates • Proxy configuration • Phone books • VPN server • Protocols

  5. Chapter 11: Protecting Extranet Communications REMOTE ACCESS POLICIES (RAPs) • Control who connects remotely to your network • RAPs consist of: • Conditions • Permission • Profile settings

  6. Chapter 11: Protecting Extranet Communications REMOTE ACCESS POLICY SCREENSHOT

  7. Chapter 11: Protecting Extranet Communications QUARANTINE CONTROL • Verifies client security before allowing full remote access: • Antivirus software is installed • Critical updates are installed • Known worms and viruses are not present • Can grant access to download required software and updates

  8. Chapter 11: Protecting Extranet Communications QUARANTINE CONTROL COMPONENTS • A post-connect network policy requirements script • A network policy requirements script • A notifier component: Rqc.exe • A listener component: Rqs.exe

  9. Chapter 11: Protecting Extranet Communications QUARANTINE CONTROL NETWORK

  10. Chapter 11: Protecting Extranet Communications REMOTE ACCESS BEST PRACTICES • Require smart cards or client certificates • Enforce strong password policies • Disable PAP, SPAP, CHAP, LM, and MS-CHAP • Upgrade VPN servers to Windows 2000 Server or Windows Server 2003 • Require L2TP with the strongest encryption

  11. Chapter 11: Protecting Extranet Communications ROUTING TABLES

  12. Chapter 11: Protecting Extranet Communications ROUTING PROTOCOL UPDATES

  13. Chapter 11: Protecting Extranet Communications VPNs SENDING ROUTING UPDATES

  14. Chapter 11: Protecting Extranet Communications DEMAND-DIAL LINKS • Network-to-network links established as needed • Can be established one-way or two-way • Do not support routing protocols • Require statically configured routes

  15. Chapter 11: Protecting Extranet Communications DEMAND-DIAL STATIC ROUTES

  16. Chapter 11: Protecting Extranet Communications VPN ARCHITECTURES • Behind the firewall • In front of the firewall • In a screened subnet • Hosted at an ISP

  17. Chapter 11: Protecting Extranet Communications VPN BEHIND THE FIREWALL

  18. Chapter 11: Protecting Extranet Communications VPN IN FRONT OF THE FIREWALL

  19. Chapter 11: Protecting Extranet Communications VPN IN A SCREENED SUBNET

  20. Chapter 11: Protecting Extranet Communications VPN HOSTED AT AN ISP

  21. Chapter 11: Protecting Extranet Communications GEOGRAPHIC PLACEMENT OF VPN SERVERS • VPN servers compound latency • Latency leads to poor network performance • To improve performance, add VPN servers near users

  22. Chapter 11: Protecting Extranet Communications HIGH-LATENCY VPN ARCHITECTURE

  23. Chapter 11: Protecting Extranet Communications LOW-LATENCY VPN ARCHITECTURE

  24. Chapter 11: Protecting Extranet Communications SPLIT TUNNELING • Without split tunneling: • Users access internal resources through VPN • Users access Internet resources through VPN • With split tunneling: • Users access internal resources through VPN • Users access Internet resources through ISP

  25. Chapter 11: Protecting Extranet Communications WITHOUT SPLIT TUNNELING

  26. Chapter 11: Protecting Extranet Communications WITH SPLIT TUNNELING

  27. Chapter 11: Protecting Extranet Communications ACTIVE DIRECTORY APPLICATION MODE (ADAM) • Free download • Provides Active Directory Lightweight Directory Access Protocol (LDAP) functionality for applications • Does not use security principals • Allows multiple instances on a single computer • Use Active Directory to ADAM Synchronizer

  28. Chapter 11: Protecting Extranet Communications SYNCHRONIZING ACTIVE DIRECTORY TO ADAM

  29. Chapter 11: Protecting Extranet Communications SUMMARY • Use L2TP for VPN access whenever possible • Use Connection Manager Administration Kit (CMAK) for client VPN and remote access settings • RAPs control who can remotely connect • Quarantine control checks remote access clients for security requirements • Configure static routes for demand-dial links • Design VPN architectures to minimize latency • Do not create Active Directory accounts for extranet users

More Related