campus vpn service trevor grove cscf march 4, 2011
TRANSCRIPT
![Page 1: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/1.jpg)
Campus VPN service
Trevor GroveCSCF
March 4, 2011
![Page 2: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/2.jpg)
Overview
• The VPN project• What is a VPN and why do I want it (what’s it
good for)?• What do we have?• How do I use it?• Technical stuff• Questions
![Page 3: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/3.jpg)
The VPN project
• The team:– Steve Carr (IST-Client Services) – Trevor Grove (CSCF) – Mike Patterson (IST-IT Security) – Jason Testart (IST)– Shawn Winnington-Ball (IST-CSS Unix) – Hong Zheng (IST-CSS Windows)
• And community testers• Summer/Fall 2010; P.O. issued December
![Page 4: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/4.jpg)
The “what” and “why”
• VPN: Virtual Private Network– Google “define: vpn”– “tunnels”, “connect to a workplace”, “private
connection”, etc.– Using the public Internet to securely connect a
remote computer to the uWaterloo network– Make the remote computer appear as if it were
physically connected on campus
![Page 5: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/5.jpg)
Why? (What does it do?)
• Off-campus computers are subject to network restrictions:– Campus border policies, e.g. Windows file sharing– “uWaterloo-only” websites & resources– Campus “interior” addresses (172.16/12)– ISP restrictions (message sizes, protocol ports)
• A VPN connection bypasses these, and makes the client look like it is on campus
• Improved telecommuting is a key component to the campus pandemic plan
![Page 6: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/6.jpg)
Why, 2
• VPN connections are encrypted end-to-end– Like https, but for everything: email, file-sharing, web-
browsing, remote desktop– Uses same technology as web “ssl”
• Provides the basis for improved campus border security– Restrict protocols at the desktop to uWaterloo– Restrict protocols at the border
• “I mostly use it to avoid setting up a myriad of SSH tunnels to places that we lock down to campus subnets, or are in the 172.16/12 space”
![Page 7: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/7.jpg)
Product selection
• Four products investigated:– OpenVPN (hardware costs, no software costs, per-
client cost per year)– Microsoft ForefrontUAG (hardware & software costs ,
no per-client cost)– Juniper SSL VPN Appliance (server costs, per-client
cost)– Cisco ASA (server costs, per-client costs)
• Shortlisted Juniper & Cisco; equivalent functionality, Cisco price advantage
![Page 8: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/8.jpg)
So what do we have?
• Cisco ASA “(Adaptive Security Appliance”) servers – Specifically, a pair of ASA 5400s, configured in High
Availability mode• Licenced for 1,000 simultaneous users (unlimited
client installations)– Intended audience: staff, faculty, grad employees
• Classified as an “ssl vpn”, uses standard https port– No problems with firewalls needing to allow PPTP or
GRE
![Page 9: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/9.jpg)
How do I use it? Getting started…
• https://cn-vpn.uwaterloo.ca
![Page 10: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/10.jpg)
Getting started, 2
![Page 11: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/11.jpg)
Getting started, 3
• Use AnyConnect to “plug in” on campus:
![Page 12: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/12.jpg)
Getting started, 4
![Page 13: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/13.jpg)
Getting started, 5
• Internet Explorer => Tools => Internet Options => Security
![Page 14: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/14.jpg)
Getting started, 6
![Page 15: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/15.jpg)
Getting started, 7
…annoying Windows “User Account Control” prompt…
…possible warnings about“ActiveX installation”…
![Page 16: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/16.jpg)
Getting started, 8
![Page 17: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/17.jpg)
After client installation
WatIAM credentials
![Page 18: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/18.jpg)
Ending a session
• Use task-bar notification icon (lower right)
![Page 19: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/19.jpg)
Client platforms
• Tested under WinXP, Vista, Win7; Mac OSX; Linux Ubuntu 10.04– For platforms with no ActiveX technology, will need
to download installer package and run– Mac OSX seems to be straightforward– Ubuntu slightly complex installation process:
• Download installer package & script• Run installer script from commandline
• Tested with Internet Explorer 6+, Firefox 3+, Chrome, Safari
![Page 20: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/20.jpg)
How does it work?
• Before the VPN connection:
InternetISPDestination net:
129.97/16172.16/12
PC with NICaddress 1.2.3.4
potential connectionimpediments
![Page 21: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/21.jpg)
How does it work, 2
• After the VPN connection:
PC with NICaddress 1.2.3.4
VPN clientassigned address
172.16.36/22
Client routes campus addresses
via VPN
InternetISPDestination net:
129.97/16172.16/12
VPN Server:route
172.16.36/22 to
campus nets
![Page 22: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/22.jpg)
Technical details
• Installs a network pseudo-device on the client• Client connects to server, receives a VPN tunnel IP address in
172.16.36/22Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : uwaterloo.ca Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes … IPv4 Address. . . . . . . . . . . : 172.16.36.18(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.252.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 129.97.2.1 129.97.129.10 …
![Page 23: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/23.jpg)
Technical details, 2
• Client routes uWaterloo traffic through the tunnel, other traffic as usual:IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 129.97.15.1 129.97.15.204 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 129.97.0.0 255.255.0.0 On-link 172.16.36.18 2 129.97.2.197 255.255.255.255 129.97.15.1 129.97.15.204 11 129.97.15.204 255.255.255.255 On-link 129.97.15.204 266 129.97.255.255 255.255.255.255 On-link 172.16.36.18 257 172.16.0.0 255.240.0.0 On-link 172.16.36.18 2 172.16.36.0 255.255.252.0 On-link 172.16.36.18 257 172.16.36.18 255.255.255.255 On-link 172.16.36.18 257 172.16.39.255 255.255.255.255 On-link 172.16.36.18 257 172.31.255.255 255.255.255.255 On-link 172.16.36.18 257... 255.255.255.255 255.255.255.255 On-link 129.97.15.204 266 255.255.255.255 255.255.255.255 On-link 172.16.36.18 257
![Page 24: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/24.jpg)
Technical details, 3
• Fewer hops via VPN:– With VPN:
C:\Users\trg\Desktop>tracert www.uwaterloo.caTracing route to info.uwaterloo.ca [129.97.128.40] …: 1 8 ms 58 ms 6 ms v602-cr-rt-phy.uwaterloo.ca [172.16.31.194] 2 6 ms 4 ms 4 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 3 7 ms 4 ms 5 ms info.uwaterloo.ca [129.97.128.40]Trace complete.
– Without VPN: 1 12 ms 1 ms 1 ms dccore-nsfw02-cscfnet.uwaterloo.ca [129.97.15.1] 2 4 ms 4 ms 4 ms dc-cs2-csfwnet.uwaterloo.ca [172.19.5.1] 3 5 ms 4 ms 5 ms dc-cs1-trk1.uwaterloo.ca [172.19.1.18] 4 3 ms 2 ms * v720-cn-rt-phy.uwaterloo.ca [129.97.1.77] 5 5 ms 4 ms 4 ms v1133-cr-rt-phy.uwaterloo.ca [172.16.31.14] 6 4 ms 2 ms 2 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 7 3 ms 4 ms 3 ms info.uwaterloo.ca [129.97.128.40]
Trace complete.
![Page 25: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/25.jpg)
Technical details, 4
• VPN will not forward non-uWaterloo traffic to off-campus– Relies on client to route uWaterloo traffic via the
VPN, other traffic as usual• Session idle timeout (automatic disconnect) of
30 minutes– But be aware of background processes
![Page 26: Campus VPN service Trevor Grove CSCF March 4, 2011](https://reader037.vdocuments.site/reader037/viewer/2022110304/5518cfe1550346881f8b5c9a/html5/thumbnails/26.jpg)
Questions?