chapter 11 - pdfs.semanticscholar.org€¦ · chapter 11 setting up a virtual private network ....

FIREWALLS & NETWORK SECURITY with

Intrusion Detection and VPNs, 2nd ed.

Chapter 11 Setting Up a Virtual

Private Network

Learning Objectives

Explain the components and essential operations of virtual private networks (VPNs)

Describe the different types of VPNs

Create VPN setups, such as mesh or hub-and-spoke configurations

Choose the right tunneling protocol for your VPN

Enable secure remote access for individual users via a VPN

Recommend best practices for effective configuration and maintenance of VPNs

Slide 2 Firewalls & Network Security, 2nd ed. - Chapter 11

Introduction

Organizations routinely join LANs to facilitate

secure point-to-point communications

Private leased lines don’t scale well, utilize

complex technology, and are expensive

VPNs function like private leased lines

– Encapsulate and encrypt data being transmitted

– Use authentication to ensure only approved

users gain access

VPNs provide secure point-to-point

communications over public Internet


VPN Components and Operations

VPNs can be set up with special hardware or

with firewall software that includes VPN

functionality

Many firewalls have VPN systems built in

Correctly set up VPN can be a critical

component in an organization’s perimeter

security configuration

Goal of VPNs is to provide a cost-effective and

secure way to connect business locations to

one another and remote workers to office

networks Slide 4 Firewalls & Network Security, 2nd ed. - Chapter 11

VPN Components

VPNs consist of two types of components:

– Hardware devices

– Software that performs security-related activities

VPN tunnels have two endpoints or terminators

Endpoints:

– Hardware devices or software modules

– Encrypt data to secure information

– Authenticate to ensure host requesting data is an

approved user

– Encapsulate data to protect integrity of

information being sent Slide 5 Firewalls & Network Security, 2nd ed. - Chapter 11

VPN Components (continued)

VPN connection occurs within TCP/IP tunnel

Tunnel: channel or pathway of networks used

by VPN that runs through the Internet from one

endpoint to another

―Tunnel‖ can be misleading as it implies:

– There is a single cable joining endpoints

– Only approved VPN users can utilize that cable

In reality, VPN ―tunnel‖ is virtual

Using the Internet keeps costs down and

simplifies setup of VPN but can also add

uncertainty to communications Slide 6 Firewalls & Network Security, 2nd ed. - Chapter 11

VPN Components (continued)

Endpoint devices can be one of the following:

– A server running a tunneling protocol

– A VPN appliance (a special hardware device

devoted to setting up VPN communications)

– A firewall/VPN combination

– A router-based VPN (routers that support IPSec

can be set up on perimeter of connected LANs)

VPN scenario may also include:

– Certificate servers: manage certificates

– Client computers: run VPN client software,

allowing remote users LAN access over the VPN Slide 7 Firewalls & Network Security, 2nd ed. - Chapter 11

Essential Activities of VPNs

Information transferred via VPN travels over the

Internet and must be well protected

Essential activities that protect data are:

– IP encapsulation

– Data payload encryption

– Encrypted authentication


IP Encapsulation

Used to protect VPN data packets

Process of enclosing one packet within another

packet that has different IP source and

destination information

Hides source and destination information of

encapsulated packets

IP addresses of encapsulated packets can be in

the private reserved blocks that are not usually

routable over the Internet


Data Payload Encryption

VPNs can be configured to fully or partially

encrypt data portion of packets

Encryption accomplished in one of two ways:

– Transport method: host encrypts traffic when it is

generated; data is encrypted, but not headers

– Tunnel method: traffic encrypted and decrypted

in transit; both header and data portions of

packets are encrypted

Level of encryption varies


Encrypted Authentication

Encryption domain: everything in the protected

network and behind the gateway

Authentication essential; VPN communication

recipients must know sender is approved user

Hosts authenticated by exchanging keys

Two types of keys:

– Symmetric keys: keys are the same; hosts

exchange same secret key to verify identities

– Asymmetric keys: participants have private key

and public key; public keys exchanged; public

key used to encrypt; decrypt using private key Slide 11 Firewalls & Network Security, 2nd ed. - Chapter 11

Benefits and Drawbacks of VPNs

Benefits:

– Secure networking without costly leased lines

– Encryption/translation handled by dedicated

systems, reducing production machine workload

– Allows control of physical setup

Drawbacks:

– Complex and, if configured improperly, can

create significant network vulnerabilities

– Uses unpredictable and often unreliable Internet

– Some vendor solutions have more documented

security issues than others Slide 12 Firewalls & Network Security, 2nd ed. - Chapter 11

VPNs Extend Network Boundaries

VPN connections that are ―always on‖ extend

your network to locations out of your control

Some suggestions for dealing with increased

risk presented by these connections:

– Use of two or more authentication tools to

identify remote users

– Integrate virus protection

– Use Network Access Control (NAC)

– Set usage limits


Types of VPNs

In general, you can set up two types of VPN:

– Site-to-site: links two or more networks

– Client-to-site: makes a network accessible to

remote users who need dial-in access

These two VPN types are not mutually exclusive

Options for configuring VPNs:

– Hardware systems

– Software systems

– Hybrids

VPNs need to be able to work with any number

of different operating systems or computer types Slide 14 Firewalls & Network Security, 2nd ed. - Chapter 11

VPN Appliances

Hardware device specially designed to

terminate VPNs and join multiple LANs

Can permit connections between large numbers

of users or multiple networks

Don’t provide other services such as file sharing

and printing

Some examples include the SonicWALL series

and the Symantec Firewall/VPN appliance


Software VPN Systems

Generally less expensive than hardware

systems

Tend to scale better on fast-growing networks

Some examples include F-Secure VPN+ and

Novell’s BorderManager VPN services


VPN Combinations of Hardware and

Software

VPN systems may implement VPN appliance at

the central network and use client software at

remote end of each VPN connection

Most VPN concentrator appliances are capable

of operating in one of two modes:

– Client mode: concentrator acts as software client,

enabling users to connect to other remote

networks via VPN

– Network extension mode: concentrator acts as

hardware device enabling secure site-to-site

VPN connection


Combination VPNs

VPN system that is ―mixed‖ uses hardware and

software from different vendors

Challenge: get all pieces of the system to

communicate with one another successfully

Solution: pick a standard security protocol that

is widely used and supported by all devices,

such as IPSec


VPN Setups

With two participants in a VPN, configuration is

relatively straightforward in terms of:

– Expense

– Technical difficulty

– Time involved

When three or more networks/individuals are

connected, several configuration options exist:

– Mesh

– Hub-and-spoke

– Hybrid


Mesh Configuration

Each participant (network, router, or computer)

in the VPN has an approved relationship, called

a security association (SA), with every other

participant

During VPN configuration, each participant must

be specifically identified to every other

participant using the VPN

Before initiating connection, each VPN

terminator checks its routing table or SA table to

confirm the other participant has an SA with it


Mesh VPN


Hub-and-Spoke Configuration

A single VPN router contains records of all SAs

in the VPN

Any LANs or computers participating in VPN

need only connect to central server, not to any

other machines in VPN

Easy to increase the size of VPN as more

branch offices or computers are added


Hub-and-Spoke VPN


Hybrid Configuration

As organizations grow, mesh or hub-and-spoke

VPN designs commonly evolve into a mixture of

the two

Mesh configurations tend to be more efficient;

central core linking most important network

branches should be mesh configuration; other

branch offices added as spokes connecting to

VPN router at central office

Hybrid setup benefits from strengths of each

one—scalability of hub-and-spoke and speed of

mesh


Configurations and Extranet and

Intranet Access

Each VPN endpoint represents extension of

corporate network to new location—an extranet

Same security measures taken to protect

corporate network should be applied to VPN

endpoints (firewalls, anti-virus, etc.)

VPNs can also be used to give parts of

organization access to other areas through

corporate intranet

VPN users inside organization should have

usage limits, anti-virus, and firewall protection,

just as outside users should Slide 25 Firewalls & Network Security, 2nd ed. - Chapter 11

Tunneling Protocols Used with VPNs

In the past, firewalls providing establishment of

VPNs used proprietary protocols

Such firewalls could only establish connections

with remote LANs using same firewall brand

Today, widespread acceptance of IPSec

protocol with Internet Key Exchange (IKE)

system means proprietary protocols are used

far less often


IPSec/IKE

IPSec provides two security methods:

– Authenticated Header (AH): authenticates

packets

– Encapsulating Security Payload (ESP): encrypts

data portion of packets

IPSec can work in two different modes:

– Transport mode: provides secure

communications between hosts

– Tunnel mode: used to create secure links

between two private networks


IPSec/IKE (continued)

IPSec/IKE VPN connection process:

– 1. Request to establish a connection sent

– 2. Remote host generates random number and

sends to machine that made original request

– 3. Original machine encrypts its pre-shared key

using random number and sends to remote host

– 4. Remote host decrypts key, compares it to its

own pre-shared key or keyring; if key matches,

remote host encrypts public key using pre-shared

key and sends to original machine

– 5. Original machine uses public key to establish

security association (SA) and VPN connection Slide 28 Firewalls & Network Security, 2nd ed. - Chapter 11

PPTP

Point-to-Point Tunneling Protocol (PPTP)

Commonly used to connect to a network using a

dial-in modem connection

Uses Microsoft Point-to-Point Encryption

(MPPE) to encrypt data

Useful if support for older clients is needed

Also useful because packets sent can pass

through firewalls that perform Network Address

Translation (NAT)


L2TP

Layer 2 Tunneling Protocol (L2TP)

Extension of Point-to-Point Protocol (PPP)

Uses IPSec rather than MPPE to encrypt data

Provides secure authenticated remote access

by separating connection initiation process from

encapsulated data forwarding process


PPP Over SSL/PPP Over SSH

Point-to-Point Protocol (PPP) Over Secure

Sockets Layer (SSL) and Point-to-Point Protocol

(PPP) Over Secure Shell (SSH)

– UNIX-based methods for creating VPNs

– Combine existing tunnel system (PPP) with way

of encrypting data in transport (SSL or SSH)

SSL: public key encryption system used to

provide secure communications over WWW

SSH: UNIX secure shell; performs secure

authenticated logons and encrypted

communications; requires pre-shared key Slide 31 Firewalls & Network Security, 2nd ed. - Chapter 11

VPN Protocols and Their Uses


Enabling Remote Access Connections

within VPNs

To enable remote user to connect to VPN, user

must be issued VPN client software

User’s computer should be equipped with a

firewall and anti-virus software

Key may need to be obtained for remote user if

IPSec is used to make VPN connection

Problems may be encountered finding phone

provider having dial-up numbers in all locations


Configuring the Server

If firewall-based VPN is used, client computer

must be identified

Check Point FireWall-1 calls the process

defining a network object

Major operating systems incorporate their own

methods of providing secure remote access

Linux uses IP Masquerade feature

Windows XP and 2000 include New Connection

Wizard


Configuring Clients

Involves installing and configuring VPN client

software or using New Connection Wizard

FireWall-1 uses SecuRemote that enables

connections to hosts or networks via VPN

Important issues to consider:

– Will client software work with all client platforms

– Is client workstation itself firewall protected

Because each VPN connection is potential

opening for viruses and hackers, requirement

that remote hosts be protected with firewalls

should be part of organization’s VPN policy Slide 35 Firewalls & Network Security, 2nd ed. - Chapter 11

VPN Best Practices

Successful operation of VPN depends not only

on hardware and software components and

overall configuration

Also depends on a number of best practices

These include:

– Security policy rules specific to the VPN

– Integration of firewall packet filtering with VPN

traffic

– Auditing VPN to ensure acceptable performance


The Need for a VPN Policy

Essential for identifying who can use the VPN

and for ensuring all users know what constitutes

proper use

Can be a separate stand-alone policy or part of

a larger security policy

Points to cover include but are not limited to:

– Who is permitted to have VPN access

– Whether authentication is to be used and how

– Whether split tunneling is permitted

– How long users can be connected in one session

– Whether virus protection is included Slide 37 Firewalls & Network Security, 2nd ed. - Chapter 11

Packet Filtering and VPNs

Decision must be made early as to where data

encryption and decryption will be performed in

relation to packet filtering

Encryption and decryption can occur either

inside or outside the packet-filtering perimeter


PPTP Filters

PPTP commonly used when older clients need

to connect to a network through a VPN or when

a tunnel must pass through a firewall that

performs NAT

For PPTP traffic to pass through a firewall,

packet-filtering rules must permit such

communications

Incoming PPTP connections on TCP Port 1723

PPTP packets use Generic Routing

Encapsulating (GRE) packets identified by

protocol identification number ID 47 Slide 39 Firewalls & Network Security, 2nd ed. - Chapter 11

L2TP and IPSec Packet-Filtering Rules

L2TP uses IPSec to encrypt traffic as it passes

through the firewall

Packet-filtering rules must be set up that cover

IPSec traffic


Auditing and Testing the VPN

Each VPN computer client should be tested

VPN should be checked to ensure component

reliability and acceptable file transfer rates

If parts of network frequently fail, switch ISPs

If ISP switch is needed, consider the following:

– How often does network go offline?

– Are there backup servers to keep customers

online if primary server goes down?

– Are there backup power supplies in case of a

power outage?

– How far is the network backbone? Slide 41 Firewalls & Network Security, 2nd ed. - Chapter 11

Chapter Summary

VPNs:

– Provide secure point-to-point communications

over the public Internet

– Used for e-commerce and telecommuting

– Can be set up with special hardware or with

firewall software that includes VPN functionality

– Are a critical component in an organization’s

perimeter security configuration


Chapter Summary (continued)

VPN data travels over public networks and

needs to be well protected

Essential data protection activities:

– IP encapsulation

– Data payload encryption

– Encrypted authentication

Two different types of VPN:

– Site-to-site

– Client-to-site

The two are not necessarily mutually exclusive



VPN configurations:

– Mesh configuration: each participant has an

approved relationship with every other participant

– Hub-and-spoke arrangement: single, central VPN

router contains records of all associations; any

other participants connect only to central server

– Hybrid setup: mixture that often evolves from the

other configuration types as organization grows

Widespread use of IPSec with Internet Key

Exchange (IKE) means proprietary protocols

used far less often



IPSec provides two security methods:

– Authenticated Header (AH): authenticates

packets

– Encapsulating Security Payload (ESP): encrypts

the data portion of packets

Both methods can be used together



Point-to-Point Tunneling Protocol (PPTP) used

to connect to network using dial-in modem

Layer 2 Tunneling Protocol (L2TP) extension of

protocol long used for dial-up connections on

the Internet, Point-to-Point Protocol (PPP)

Point-to-Point Protocol (PPP) Over Secure

Sockets Layer (SSL) and Point-to-Point Protocol

(PPP) Over Secure Shell (SSH)

– UNIX-based methods for creating VPNs

– Combine existing tunnel system (PPP) with data

encryption in transport (SSL or SSH) Slide 46 Firewalls & Network Security, 2nd ed. - Chapter 11


To enable remote user to connect to a VPN,

issue that user VPN client software

Make sure user’s computer has anti-virus

software and a firewall

May need to obtain key for remote user if using

IPSec to make VPN connection

VPN best practices include:

– Security policy rules specific to the VPN

– Integration of firewall packet filtering and VPN

traffic

– Auditing VPN to ensure acceptable performance Slide 47 Firewalls & Network Security, 2nd ed. - Chapter 11

chapter 11 - pdfs.semanticscholar.org€¦ · chapter 11 setting up a virtual private network ....

Documents