1 / 55

Alessandro Appiani Consultant Microsoft Certified Partner

VPN Client-to-Lan e Lan-to-Lan con Windows Small Business Server 2003 installazione, configurazione, sicurezza. Alessandro Appiani Consultant Microsoft Certified Partner. Agenda. VPN Basics La protezione delle comunicazioni di rete Encryption overview VPN a confronto Client-to-LAN

sally
Download Presentation

Alessandro Appiani Consultant Microsoft Certified Partner

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VPN Client-to-Lan e Lan-to-Lan con Windows Small Business Server 2003installazione, configurazione, sicurezza Alessandro Appiani Consultant Microsoft Certified Partner

  2. Agenda • VPN Basics • La protezione delle comunicazioni di rete • Encryption overview • VPN a confronto • Client-to-LAN • LAN-to-LAN • VPN in dettaglio • tunneling protocol • authentication • encryption • Le tecnologie di Windows Small Business Server 2003 per VPN Client-to-LAN e LAN-to-LAN

  3. Che cosa è una VPN ? • Dal sito di Windows Server 2003 “Microsoft defines a virtual private network as the extension of a private network that encompasses links across shared or public networks like the Internet.” • http://www.microsoft.com/windowsserver2003/techinfo/overview/vpnfaq.mspx

  4. IdentitySpoofing Man-in-the-Middle DataModification NetworkMonitoring Password-based Quali problemi abbiamo con una comunicazione di rete che usa connettività pubblica come Internet?

  5. Encrypted IP Packet La soluzione: la cifratura dei dati trasmessi • Encrypts Data at the Application Layer • SSL • TLS • Encrypts Data at the Network Layer • Tunneling Protocol • IPSec

  6. Virtual Private Networks (VPN) una applicazione delle tecnologie di encryption

  7. VPN Basics • Una tecnologia di encryption • Un metodo/protocollo di Tunneling • Una modalità di connessione e trasporto(Client-to-LAN, LAN-to-LAN) • Un insieme di definizioni per • IP Addressing • Authentication • Authorization • Auditing

  8. Crittografia • Encryption Keys & Algorithms • Symmetric Encryption • Public Key Encryption (Asymmetric) Encryption Algorithm

  9. Encryption Keys

  10. Symmetric encryption: • Usa la stessa chiave per cifrare e decifrare • E’ spesso referenziata come bulk encryption • E’ intrinsicamente vulnerabile per il concetto di “Shared secret”: la chiave è condivisa How Does Symmetric Encryption Work? Original Data Cipher Text Original Data

  11. Using Symmetric Key Encryption Shared Secret Key • Encrypting Application Data • EFS • S/MIME • Encrypting Communication Protocols • IPSec • TLS Encryption Algorithm Encryption by User1 Shared Secret Key Decryption Algorithm Decryption by User2

  12. How Does Public Key Encryption Work?

  13. 2 Encrypted Message is Sent Over Network 3A78 1 Alice Encrypts Message with Bob’s Public Key. Data 3 Bob Decrypts Message with Bob’s Private Key. Public Key Encryption Data 3A78

  14. 2 Message is Sent Over Network ~*~*~*~ 1 Alice Signs Message with Her Private Key. 3 Bob Validates Message is From Alice with Alice’s Public Key. Public Key Authentication ~*~*~*~ ~*~*~*~

  15. Dalla teoria alla pratica...

  16. Planning Protocols for Application-Layer Security Planning Secure File Transmissions Planning Secure Communications for Web Applications Planning Security for E-mail Applications Application SSL/TLS TCP/UDP IP/IPSec Link Layer Physical Layer Requires That Applications Support the Encryption Application-Layer

  17. Application SSL/TLS TCP/UDP IP/IPSec Link Layer Physical Layer Is Transparent to Applications Network-Layer: Virtual Private Network (VPN)

  18. Internet VPN Client-to-LAN:Connecting Remote Users to a Corporate Network Corporate Network VPN ServerComputer VPN Tunnel Remote User

  19. Internet VPN LAN-to-LAN:Connecting Remote Networks to a Local Network Local Network VPN ServerComputer VPN Tunnel VPN ServerComputer Remote Network

  20. VPN a confronto • LAN-to-LAN • prevede l’utilizzo di apparati/server che gestiscono la comunicazione vpn e fanno da gateway tra le due reti • encryption applicata solo nelle comunicazioni tra i gateway (tunnel-endpoint) • encryption simmetrica di tipo “Shared-Key” • IP Addressing  progettare • Client-to-LAN • è una tipica connessione uno (gateway/Access Point) a molti (Client) • encryption applicata nelle comunicazioni tra il gateway ed N client • encryption di tipo “Shared-Key” non adeguata (distribuzione della chiave in N posti!) • può usare protocolli PPP-based (PPTP, L2TP) • per usare IPsec richiede tecniche di Asymmetric encryption (PKI, certificati, ...) • IP Addressing  semplice ed integrato

  21. Internetwork Must Be IP Based No Header Compression No Tunnel Authentication Built-in PPP Encryption Virtual Private Network Protocols PPTP* L2TP** Internetwork Can Be IP, Frame Relay, X.25, or ATM Based Header Compression Tunnel Authentication Uses IPSec Encryption Internet Client Server PPTP or L2TP *PPTP: rfc 2637 - **L2TP: rfc 2661

  22. Selecting a Tunneling Protocol Features Tunneling Protocol L2TP/ IPSec PPTP IPSec Tunnel Mode

  23. Authentication Protocols • Standard Authentication Protocols • Extensible Authentication Protocols

  24. Standard Authentication Protocols Protocol Security Use when PAP Low The client and server cannot negotiate using more secure validation SPAP Medium Connecting a Shiva LANRover and Windows 2000–based client or a Shiva client and a Windows 2000–based remote access server CHAP High You have clients that are not running Microsoft operating systems MS-CHAP High You have clients running Windows NT version 4.0 and later or, Microsoft Windows 95 and later MS-CHAP v2 High You have dial-up clients running Windows 2000, or VPN clients running Windows NT 4.0 or Windows 98

  25. Authentication

  26. Extensible Authentication Protocols • Allows the Client and Server to Negotiate the Authentication Method That They Will Use • Supports Authentication by Using • MD5-CHAP • Transport Layer Security (TLS) • PEAP, Smartcard, ... • Ensures Support of Future Authentication Methods Through an API

  27. Encryption Protocols Members of this group dial-in profile can use IPSec 56-bit Data Encryption Standard (DES) or MPPE 40-bit data encryption Members of this group dial-in profile can use IPSec 56-bit DES or MPPE 56-bit data encryption Members of this group dial-in profile can use IPSec Triple DES (3DES) or MPPE 128-bit data encryption

  28. Windows Small Business Server 2003 VPN setup & configuration

  29. To Do List

  30. 4 VPN server transfers data 3 VPN server checks the directory to authenticate and authorize the caller 1 VPN client calls the VPN server 2 VPN server answers the call VPN Client-to-LAN A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link Windows Small Business Server VPN Client VPN Server

  31. Windows Small Business Server Remote Access Wizard This wizard provides on-screen instructions for configuring your server for: VPN connections Dial-up connections Both VPN and dial-up connections After clicking Finish, the wizard: Configures the server according to your selected settings Creates the Client Connection Manager configuration file Configures the remote access policy to allow members of the Mobile Users group to use remote access

  32. Scenari di esempio e demo

  33. Scenario di connessione router Internet rete pubblica(es: 193.205.245.24/29) xDSL Fibra ottica ISDN ... .2 Internet Router (ISP) azienda.local SBS rete pubblica (con NAT)(es: 192.168.1.0/24) rete privata 10.0.1.0/24

  34. VPN LAN-to-LAN • IP Addressing • Interoperabilità: cosa c’è dall’altra parte? • Windows Server 2003 • Windows Server 2000/2003 + ISA Server • ... • Differenti versioni di Windows SBS • Standard • Windows 2003 Firewall • Remote Access Wizard (Client-to-LAN) • No VPN LAN-to-LAN Wizard • Premium • ISA Server! • Remote Access Wizard (Client-to-LAN) • ISA Server wizard per VPN LAN-to-LAN (ISA Server anche dall’altra parte)

  35. Esempio rete VPN LAN-to-LAN Filiale Sede Internet .100 sbs.net Windows 2003(ISA) SBS(ISA) privata 192.168.1.0/24 privata 192.168.3.0/24 pubblica 212.212.212.0/24

More Related