1 / 49

Setting Up a Virtual Private Network

Setting Up a Virtual Private Network. Chapter 9. Learning Objectives. Understand the components and essential operations of virtual private networks (VPNs) Describe the different types of VPNs Create VPN setups such as mesh or hub-and-spoke configurations

jarrod-eaton
Download Presentation

Setting Up a Virtual Private Network

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Setting Up a Virtual Private Network Chapter 9

  2. Learning Objectives • Understand the components and essential operations of virtual private networks (VPNs) • Describe the different types of VPNs • Create VPN setups such as mesh or hub-and-spoke configurations • Choose the right tunneling protocol for your VPN • Enable secure remote access for individual users via a VPN • Observe best practices for configuring and maintaining VPNs effectively

  3. VPNs • Goal: Provide a cost-effective and secure way to connect businesses to one another and remote workers to office networks • Encapsulate and encrypt data being transmitted • Use authentication to ensure that only approved users can access the VPN • Provide a means of secure point-to-point communications over the public Internet

  4. VPN Components and Operations • Essential components that make up a VPN • How VPNs enable data to be accessed securely • Advantages and disadvantages of using VPNs compared to leased lines • How VPNs extend network boundaries

  5. Components within VPNS • Hardware devices • Can have two endpoints or terminators • Can have a (virtual) tunnel • Software that performs security-related activities

  6. Devices That Form the Endpoints of the VPN • Server running on a tunneling protocol • VPN appliance • A firewall/VPN combination • A router-based VPN

  7. Essential Activities of VPNs • IP encapsulation • Data payload encryption • Encrypted authentication

  8. IP Encapsulation • Provides a high degree of protection • VPN encapsulates actual data packets within packets that use source and destination addresses of VPN gateway • Source and destination information of actual data packets are completely hidden • Because a VPN tunnel is used, source and destination IP addresses of actual data packets can be in private reserved blocks not usually routable over the Internet

  9. Data Payload Encryption • Transport method • Tunnel method

  10. Encrypted Authentication • Hosts are authenticated by exchanging long blocks of code (keys) that are generated by complex formulas (algorithms) • Types of keys that can be exchanged • Symmetric keys • Asymmetric keys

  11. Advantages and Disadvantages of VPNs

  12. VPNs Extend a Network’s Boundaries • To deal with the increased risk caused by VPN connections • Use two or more authentication tools to identify remote users • Integrate virus protection • Set usage limits

  13. Types of VPNs • Site-to-site VPN • Links two or more networks • Client-to-site VPN • Makes a network accessible to remote users who need dial-in access

  14. VPN Appliances • Hardware devices specially designed to terminate VPNs and join multiple LANs • Permit connections, but do not provide other services (eg, file sharing, printing) • Enable connections of more tunnels and users than software systems • Examples • SonicWALL series • Symantec Firewall/VPN appliance

  15. Advantage of Using Hardware Systems

  16. Software VPN Systems • Generally less expensive than hardware systems • Tend to scale better for fast-growing networks • Examples • F-Secure VPN+ • Novell BorderManager VPN services • Check Point FireWall-1

  17. VPN Combinations of Hardware and Software • Cisco 3000 Series VPN Concentrator • Gives users the choice of operating in: • Client mode, or • Network extension mode

  18. VPN Combinations of Different Vendors’ Products • Challenge: Get all pieces to talk to and communicate with one another successfully • Pick a standard security protocol that is widely used and that all devices support(eg, IPSec)

  19. VPN Setups • If two participants • Configuration is relatively straightforward in terms of expense, technical difficulty, and time • If three or more, several options • Mesh configuration • Hub-and-spoke arrangement • Hybrid setup

  20. Mesh Configuration • Connects multiple computers that each have a security association (SA) with all other machines in the VPN

  21. Hub-and-Spoke Configuration • A single VPN router maintains records of all SAs • Any device that wishes to participate in the VPN need only connect to the central router • Easy to increase size of the VPN • The requirement that all communications flow into and out of the central router slows down communications

  22. Hybrid Configuration • Benefits from the strengths of each—scalability of hub-and-spoke option and speed of mesh option • Use mesh for most important branches of the network and critical communications • Use hub-and-spoke for overseas branches and for new new branch offices

  23. Configurations and Extranet and Intranet Access • Extranet • Enable firewalls and anti-virus software for each remote user or business partner • Intranet • Establish usage limits • Set up anti-virus and firewall protection

  24. Configurations and Extranet and Intranet Access

  25. Tunneling Protocols Used with VPNs • IPSec/IKE • PPTP (Point-to-Point Tunneling Protocol) • L2TP (Layer 2 Tunneling Protocol) • PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer) • PPP over SSH (Point-to-Point Protocol over Secure Shell)

  26. IPSec/IKE • IPSec provides: • Encryption of the data part of packets • Authentication • Encapsulation between two VPN hosts • Two security methods (AH and ESP) • Capability to work in two modes (transport and tunnel) • IKE provides: • Exchange of public and private keys • Ability to determine which encryption protocols should be used to encrypt data that flows through VPN tunnel

  27. PPTP • Developed by Microsoft for granting VPN access to remote users over dial-up connections • Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data • Useful if support for older clients is needed • Compatible with Network Address Translation (NAT) • Replaced by L2TP

  28. L2TP • Extension to PPP that enables dial-up users to establish a VPN connection to a remote access server • Uses IPSec to encrypt data • Incompatible with NAT but provides a higher level of encryption and authentication

  29. PPP Over SSL andPPP Over SSH • Two UNIX based methods for creating VPNs • Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL or SSH) • SSL • Public key encryption system used to provide secure communications over the Web • SSH • UNIX secure shell that uses secret key encryption (pre-shared key) to authenticate participants

  30. When to Use Different VPN Protocols

  31. Enabling Remote Access Connections within VPNs • Issue the user VPN client software • Make sure user’s computer is equipped with anti-virus software and a firewall • May need to obtain a key for the remote user if you plan to use IPSec to make VPN connection as well

  32. Configuring the Server • Major operating systems include ways of providing secure remote access • Linux • IP Masquerade feature • Windows XP and 2000 • Network Connections Wizard

  33. Configuring the Server

  34. Configuring the Server

  35. Configuring Clients • Involves either installing and configuring VPN client software or using the Network Connection Wizard • Client workstation must be protected by a firewall

  36. VPN Best Practices • Security policy rules that specifically apply to the VPN • Integration of firewall packet filtering with VPN traffic • Auditing the VPN to make sure it is performing acceptably

  37. The Need for a VPN Policy • Identify who can use the VPN • Ensure that all users know what constitutes proper use of the VPN • Whether and how authentication is to be used • Whether split tunneling is permitted • How long users can be connected at any one session • Whether virus protection is included

  38. Packet Filtering and VPNs • Encryption and decryption of data can be performed either outside the packet-filtering perimeter or inside it

  39. PPTP Filter Rules

  40. L2TP and IPSecPacket-Filtering Rules

  41. Auditing and Testing the VPN • Time consuming • Choose client software that is easy for end users to install on their own to save you time and effort

  42. Chapter Summary • Configuration and operations of VPNs

More Related