chapter 11: setting up a virtual private network
TRANSCRIPT
ISA 3200NETWORK SECURITY
Chapter 11: Setting up a Virtual Private Network
Learning Objectives
Explain the components and essential operations of virtual private networks (VPNs)
Describe the different types of VPNs Create VPN setups, such as mesh or hub-
and-spoke configurations Choose the right tunneling protocol for your
VPN Enable secure remote access for individual
users via a VPN Recommend best practices for effective
configuration and maintenance of VPNs
7/19IS 3200, Summer 2010 2
Introduction
Organizations routinely join LANs to facilitate secure point-to-point communications
Private leased lines don’t scale well, utilize complex technology, and are expensive
VPNs function like private leased lines Encapsulate and encrypt data being transmitted Use authentication to ensure only approved
users gain access VPNs provide secure point-to-point
communications over public Internet
7/19IS 3200, Summer 2010 3
VPN Components and Operations
VPNs can be set up with special hardware or with firewall software that includes VPN functionality
Many firewalls have VPN systems built in Correctly set up VPN can be a critical
component in an organization’s perimeter security configuration
Goal of VPNs is to provide a cost-effective and secure way to connect business locations to one another and remote workers to office networks
IS 3200, Summer 2010 47/19
VPN Components
VPNs consist of two types of components: Hardware devices Software that performs security-related activities
VPN tunnels have two endpoints or terminators
Endpoints: Hardware devices or software modules Encrypt data to secure information Authenticate to ensure host requesting data is an
approved user Encapsulate data to protect integrity of
information being sent7/19IS 3200, Summer 2010 5
VPN Components (continued)
VPN connection occurs within TCP/IP tunnel Tunnel: channel or pathway of networks used
by VPN that runs through the Internet from one endpoint to another
“Tunnel” can be misleading as it implies: There is a single cable joining endpoints Only approved VPN users can utilize that cable
In reality, VPN “tunnel” is virtual Using the Internet keeps costs down and
simplifies setup of VPN but can also add uncertainty to communications
7/19IS 3200, Summer 2010 6
VPN Components (continued)
Endpoint devices can be one of the following: A server running a tunneling protocol A VPN appliance (a special hardware device
devoted to setting up VPN communications) A firewall/VPN combination A router-based VPN (routers that support IPSec
can be set up on perimeter of connected LANs) VPN scenario may also include:
Certificate servers: manage certificates Client computers: run VPN client software,
allowing remote users LAN access over the VPN7/19IS 3200, Summer 2010 7
Essential Activities of VPNs
Information transferred via VPN travels over the Internet and must be well protected
Essential activities that protect data are: IP encapsulation Data payload encryption Encrypted authentication
7/19IS 3200, Summer 2010 8
IP Encapsulation
Used to protect VPN data packets Process of enclosing one packet
within another packet that has different IP source and destination information
Hides source and destination information of encapsulated packets
IP addresses of encapsulated packets can be in the private reserved blocks that are not usually routable over the Internet
7/19IS 3200, Summer 2010 9
Data Payload Encryption
VPNs can be configured to fully or partially encrypt data portion of packets
Encryption accomplished in one of two ways: Transport method: host encrypts traffic
when it is generated; data is encrypted, but not headers
Tunnel method: traffic encrypted and decrypted in transit; both header and data portions of packets are encrypted
Level of encryption varies7/19IS 3200, Summer 2010 10
Encrypted Authentication
Encryption domain: everything in the protected network and behind the gateway
Authentication essential; VPN communication recipients must know sender is approved user
Hosts authenticated by exchanging keys Two types of keys:
Symmetric keys: keys are the same; hosts exchange same secret key to verify identities
Asymmetric keys: participants have private key and public key; public keys exchanged; public key used to encrypt; decrypt using private key
7/19IS 3200, Summer 2010 11
Benefits and Drawbacks of VPNs Benefits:
Secure networking without costly leased lines Encryption/translation handled by dedicated
systems, reducing production machine workload Allows control of physical setup
Drawbacks: Complex and, if configured improperly, can
create significant network vulnerabilities Uses unpredictable and often unreliable Internet Some vendor solutions have more documented
security issues than others
7/19IS 3200, Summer 2010 12
VPNs Extend Network Boundaries VPN connections that are “always
on” extend your network to locations out of your control
Some suggestions for dealing with increased risk presented by these connections: Use of two or more authentication tools
to identify remote users Integrate virus protection Use Network Access Control (NAC) Set usage limits 7/19IS 3200, Summer 2010 13
Types of VPNs
In general, you can set up two types of VPN: Site-to-site: links two or more networks Client-to-site: makes a network accessible to remote
users who need dial-in access These two VPN types are not mutually exclusive Options for configuring VPNs:
Hardware systems Software systems Hybrids
VPNs need to be able to work with any number of different operating systems or computer types
7/19IS 3200, Summer 2010 14
VPN Appliances
Hardware device specially designed to terminate VPNs and join multiple LANs
Can permit connections between large numbers of users or multiple networks
Don’t provide other services such as file sharing and printing
Some examples include the SonicWALL series and the Symantec Firewall/VPN appliance
7/19IS 3200, Summer 2010 15
Software VPN Systems
Generally less expensive than hardware systems
Tend to scale better on fast-growing networks
Some examples include F-Secure VPN+ and Novell’s BorderManager VPN services
7/19IS 3200, Summer 2010 16
VPN Combinations of Hardware and Software VPN systems may implement VPN appliance
at the central network and use client software at remote end of each VPN connection
Most VPN concentrator appliances are capable of operating in one of two modes: Client mode: concentrator acts as software
client, enabling users to connect to other remote networks via VPN
Network extension mode: concentrator acts as hardware device enabling secure site-to-site VPN connection
7/19IS 3200, Summer 2010 17
Combination VPNs
VPN system that is “mixed” uses hardware and software from different vendors
Challenge: get all pieces of the system to communicate with one another successfully
Solution: pick a standard security protocol that is widely used and supported by all devices, such as IPSec
7/19IS 3200, Summer 2010 18
VPN Setups
With two participants in a VPN, configuration is relatively straightforward in terms of: Expense Technical difficulty Time involved
When three or more networks/individuals are connected, several configuration options exist: Mesh Hub-and-spoke Hybrid
7/19IS 3200, Summer 2010 19
Mesh Configuration
Each participant (network, router, or computer) in the VPN has an approved relationship, called a security association (SA), with every other participant
During VPN configuration, each participant must be specifically identified to every other participant using the VPN
Before initiating connection, each VPN terminator checks its routing table or SA table to confirm the other participant has an SA with it
7/19IS 3200, Summer 2010 20
Mesh VPN
7/19IS 3200, Summer 2010 21
Hub-and-Spoke Configuration
A single VPN router contains records of all SAs in the VPN
Any LANs or computers participating in VPN need only connect to central server, not to any other machines in VPN
Easy to increase the size of VPN as more branch offices or computers are added
7/19IS 3200, Summer 2010 22
Hub-and-Spoke VPN
7/19IS 3200, Summer 2010 23
Hybrid Configuration
As organizations grow, mesh or hub-and-spoke VPN designs commonly evolve into a mixture of the two
Mesh configurations tend to be more efficient; central core linking most important network branches should be mesh configuration; other branch offices added as spokes connecting to VPN router at central office
Hybrid setup benefits from strengths of each one—scalability of hub-and-spoke and speed of mesh
7/19IS 3200, Summer 2010 24
Configurations and Extranet and Intranet Access Each VPN endpoint represents extension of
corporate network to new location—an extranet
Same security measures taken to protect corporate network should be applied to VPN endpoints (firewalls, anti-virus, etc.)
VPNs can also be used to give parts of organization access to other areas through corporate intranet
VPN users inside organization should have usage limits, anti-virus, and firewall protection, just as outside users should
7/19IS 3200, Summer 2010 25
Tunneling Protocols Used with VPNs In the past, firewalls providing
establishment of VPNs used proprietary protocols
Such firewalls could only establish connections with remote LANs using same firewall brand
Today, widespread acceptance of IPSec protocol with Internet Key Exchange (IKE) system means proprietary protocols are used far less often
7/19IS 3200, Summer 2010 26
IPSec/IKE
IPSec provides two security methods: Authenticated Header (AH): authenticates
packets Encapsulating Security Payload (ESP):
encrypts data portion of packets IPSec can work in two different modes:
Transport mode: provides secure communications between hosts
Tunnel mode: used to create secure links between two private networks
7/19IS 3200, Summer 2010 27
IPSec/IKE (continued)
IPSec/IKE VPN connection process: 1. Request to establish a connection sent 2. Remote host generates random number and
sends to machine that made original request 3. Original machine encrypts its pre-shared key
using random number and sends to remote host 4. Remote host decrypts key, compares it to its
own pre-shared key or keyring; if key matches, remote host encrypts public key using pre-shared key and sends to original machine
5. Original machine uses public key to establish security association (SA) and VPN connection
7/19IS 3200, Summer 2010 28
PPTP
Point-to-Point Tunneling Protocol (PPTP)
Commonly used to connect to a network using a dial-in modem connection
Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data
Useful if support for older clients is needed
Also useful because packets sent can pass through firewalls that perform Network Address Translation (NAT)
7/19IS 3200, Summer 2010 29
L2TP
Layer 2 Tunneling Protocol (L2TP) Extension of Point-to-Point Protocol
(PPP) Uses IPSec rather than MPPE to
encrypt data Provides secure authenticated
remote access by separating connection initiation process from encapsulated data forwarding process
7/19IS 3200, Summer 2010 30
PPP Over SSL/PPP Over SSH
Point-to-Point Protocol (PPP) Over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP) Over Secure Shell (SSH) UNIX-based methods for creating VPNs Combine existing tunnel system (PPP) with way
of encrypting data in transport (SSL or SSH) SSL: public key encryption system used to
provide secure communications over WWW SSH: UNIX secure shell; performs secure
authenticated logons and encrypted communications; requires pre-shared key
7/19IS 3200, Summer 2010 31
VPN Protocols and Their Uses
7/19IS 3200, Summer 2010 32
Enabling Remote Access Connections within VPNs To enable remote user to connect to
VPN, user must be issued VPN client software
User’s computer should be equipped with a firewall and anti-virus software
Key may need to be obtained for remote user if IPSec is used to make VPN connection
Problems may be encountered finding phone provider having dial-up numbers in all locations
7/19IS 3200, Summer 2010 33
Configuring the Server
If firewall-based VPN is used, client computer must be identified
Check Point FireWall-1 calls the process defining a network object
Major operating systems incorporate their own methods of providing secure remote access
Linux uses IP Masquerade feature Windows XP and 2000 include New
Connection Wizard7/19IS 3200, Summer 2010 34
Configuring Clients
Involves installing and configuring VPN client software or using New Connection Wizard
FireWall-1 uses SecuRemote that enables connections to hosts or networks via VPN
Important issues to consider: Will client software work with all client platforms Is client workstation itself firewall protected
Because each VPN connection is potential opening for viruses and hackers, requirement that remote hosts be protected with firewalls should be part of organization’s VPN policy
7/19IS 3200, Summer 2010 35
VPN Best Practices
Successful operation of VPN depends not only on hardware and software components and overall configuration
Also depends on a number of best practices
These include: Security policy rules specific to the VPN Integration of firewall packet filtering
with VPN traffic Auditing VPN to ensure acceptable
performance
7/19IS 3200, Summer 2010 36
The Need for a VPN Policy
Essential for identifying who can use the VPN and for ensuring all users know what constitutes proper use
Can be a separate stand-alone policy or part of a larger security policy
Points to cover include but are not limited to: Who is permitted to have VPN access Whether authentication is to be used and how Whether split tunneling is permitted How long users can be connected in one session Whether virus protection is included
7/19IS 3200, Summer 2010 37
Packet Filtering and VPNs
Decision must be made early as to where data encryption and decryption will be performed in relation to packet filtering
Encryption and decryption can occur either inside or outside the packet-filtering perimeter
7/19IS 3200, Summer 2010 38
PPTP Filters
PPTP commonly used when older clients need to connect to a network through a VPN or when a tunnel must pass through a firewall that performs NAT
For PPTP traffic to pass through a firewall, packet-filtering rules must permit such communications
Incoming PPTP connections on TCP Port 1723 PPTP packets use Generic Routing
Encapsulating (GRE) packets identified by protocol identification number ID 47
7/19IS 3200, Summer 2010 39
L2TP and IPSec Packet-Filtering Rules L2TP uses IPSec to encrypt traffic as
it passes through the firewall Packet-filtering rules must be set up
that cover IPSec traffic
7/19IS 3200, Summer 2010 40
Auditing and Testing the VPN
Each VPN computer client should be tested VPN should be checked to ensure component
reliability and acceptable file transfer rates If parts of network frequently fail, switch ISPs If ISP switch is needed, consider the
following: How often does network go offline? Are there backup servers to keep customers
online if primary server goes down? Are there backup power supplies in case of a
power outage? How far is the network backbone?
7/19IS 3200, Summer 2010 41
Chapter Summary
VPNs: Provide secure point-to-point
communications over the public Internet Used for e-commerce and
telecommuting Can be set up with special hardware or
with firewall software that includes VPN functionality
Are a critical component in an organization’s perimeter security configuration
7/19IS 3200, Summer 2010 42
Chapter Summary (continued)
VPN data travels over public networks and needs to be well protected
Essential data protection activities: IP encapsulation Data payload encryption Encrypted authentication
Two different types of VPN: Site-to-site Client-to-site
The two are not necessarily mutually exclusive
7/19IS 3200, Summer 2010 43
Chapter Summary (continued)
VPN configurations: Mesh configuration: each participant has an
approved relationship with every other participant Hub-and-spoke arrangement: single, central VPN
router contains records of all associations; any other participants connect only to central server
Hybrid setup: mixture that often evolves from the other configuration types as organization grows
Widespread use of IPSec with Internet Key Exchange (IKE) means proprietary protocols used far less often
7/19IS 3200, Summer 2010 44
Chapter Summary (continued)
IPSec provides two security methods: Authenticated Header (AH):
authenticates packets Encapsulating Security Payload (ESP):
encrypts the data portion of packets Both methods can be used together
7/19IS 3200, Summer 2010 45
Chapter Summary (continued)
Point-to-Point Tunneling Protocol (PPTP) used to connect to network using dial-in modem
Layer 2 Tunneling Protocol (L2TP) extension of protocol long used for dial-up connections on the Internet, Point-to-Point Protocol (PPP)
Point-to-Point Protocol (PPP) Over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP) Over Secure Shell (SSH) UNIX-based methods for creating VPNs Combine existing tunnel system (PPP) with data
encryption in transport (SSL or SSH)
7/19IS 3200, Summer 2010 46
Chapter Summary (continued)
To enable remote user to connect to a VPN, issue that user VPN client software
Make sure user’s computer has anti-virus software and a firewall
May need to obtain key for remote user if using IPSec to make VPN connection
VPN best practices include: Security policy rules specific to the VPN Integration of firewall packet filtering and VPN
traffic Auditing VPN to ensure acceptable performance
7/19IS 3200, Summer 2010 47