Setting Up a Virtual Private Network

Chapter 9

Learning Objectives

Understand the components and essential operations of virtual private networks (VPNs)Describe the different types of VPNsCreate VPN setups such as mesh or hub-and-spoke configurationsChoose the right tunneling protocol for your VPNEnable secure remote access for individual users via a VPNObserve best practices for configuring and maintaining VPNs effectively

VPNs

Goal: Provide a cost-effective and secure way to connect businesses to one another and remote workers to office networks

Encapsulate and encrypt data being transmitted

Use authentication to ensure that only approved users can access the VPN

Provide a means of secure point-to-point communications over the public Internet

VPN Components and Operations

Essential components that make up a VPN

How VPNs enable data to be accessed securely

Advantages and disadvantages of using VPNs compared to leased lines

How VPNs extend network boundaries

Components within VPNS

Hardware devices Can have two endpoints or terminators Can have a (virtual) tunnel

Software that performs security-related activities

Devices That Form the Endpoints of the VPN

Server running on a tunneling protocol

VPN appliance

A firewall/VPN combination

A router-based VPN

Essential Activities of VPNs

IP encapsulation

Data payload encryption

Encrypted authentication

IP Encapsulation

Provides a high degree of protectionVPN encapsulates actual data packets within packets that use source and destination addresses of VPN gateway Source and destination information of actual data

packets are completely hidden

Because a VPN tunnel is used, source and destination IP addresses of actual data packets can be in private reserved blocks not usually routable over the Internet

Data Payload Encryption

Transport method

Tunnel method

Encrypted Authentication

Hosts are authenticated by exchanging long blocks of code (keys) that are generated by complex formulas (algorithms)

Types of keys that can be exchanged Symmetric keys Asymmetric keys

Advantages and Disadvantages of VPNs

VPNs Extend a Network’s Boundaries

To deal with the increased risk caused by VPN connections Use two or more authentication tools to identify

remote users Integrate virus protection Set usage limits

Types of VPNs

Site-to-site VPN Links two or more networks

Client-to-site VPN Makes a network accessible to remote users

who need dial-in access

VPN Appliances

Hardware devices specially designed to terminate VPNs and join multiple LANsPermit connections, but do not provide other services (eg, file sharing, printing)Enable connections of more tunnels and users than software systemsExamples SonicWALL series Symantec Firewall/VPN appliance

Advantage of Using Hardware Systems

Software VPN Systems

Generally less expensive than hardware systemsTend to scale better for fast-growing networksExamples F-Secure VPN+ Novell BorderManager VPN services Check Point FireWall-1

VPN Combinations of Hardware and Software

Cisco 3000 Series VPN Concentrator Gives users the choice of operating in:

Client mode, or Network extension mode

VPN Combinations of Different Vendors’ Products

Challenge: Get all pieces to talk to and communicate with one another successfully

Pick a standard security protocol that is widely used and that all devices support(eg, IPSec)

VPN Setups

If two participants Configuration is relatively straightforward in

terms of expense, technical difficulty, and time

If three or more, several options Mesh configuration Hub-and-spoke arrangement Hybrid setup

Mesh Configuration

Connects multiple computers that each have a security association (SA) with all other machines in the VPN

Hub-and-Spoke Configuration

A single VPN router maintains records of all SAsAny device that wishes to participate in the VPN need only connect to the central routerEasy to increase size of the VPNThe requirement that all communications flow into and out of the central router slows down communications

Hybrid Configuration

Benefits from the strengths of each—scalability of hub-and-spoke option and speed of mesh option

Use mesh for most important branches of the network and critical communications

Use hub-and-spoke for overseas branches and for new new branch offices

Configurations and Extranet and Intranet Access

Extranet Enable firewalls and anti-virus software for

each remote user or business partner

Intranet Establish usage limits Set up anti-virus and firewall protection

Configurations and Extranet and Intranet Access

Tunneling Protocols Used with VPNs

IPSec/IKE

PPTP (Point-to-Point Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol)

PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer)

PPP over SSH (Point-to-Point Protocol over Secure Shell)

IPSec/IKE

IPSec provides: Encryption of the data part of packets Authentication Encapsulation between two VPN hosts Two security methods (AH and ESP) Capability to work in two modes (transport and tunnel)

IKE provides: Exchange of public and private keys Ability to determine which encryption protocols should

be used to encrypt data that flows through VPN tunnel

PPTP

Developed by Microsoft for granting VPN access to remote users over dial-up connections

Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data

Useful if support for older clients is needed

Compatible with Network Address Translation (NAT)

Replaced by L2TP

L2TP

Extension to PPP that enables dial-up users to establish a VPN connection to a remote access server

Uses IPSec to encrypt data

Incompatible with NAT but provides a higher level of encryption and authentication

PPP Over SSL andPPP Over SSH

Two UNIX based methods for creating VPNs

Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL or SSH) SSL

Public key encryption system used to provide secure communications over the Web

SSH UNIX secure shell that uses secret key encryption (pre-shared

key) to authenticate participants

When to Use Different VPN Protocols

Enabling Remote Access Connections within VPNs

Issue the user VPN client software

Make sure user’s computer is equipped with anti-virus software and a firewall

May need to obtain a key for the remote user if you plan to use IPSec to make VPN connection as well

Configuring the Server

Major operating systems include ways of providing secure remote access Linux

IP Masquerade feature Windows XP and 2000

Network Connections Wizard

Configuring the Server

Configuring the Server

Configuring Clients

Involves either installing and configuring VPN client software or using the Network Connection Wizard

Client workstation must be protected by a firewall

VPN Best Practices

Security policy rules that specifically apply to the VPN

Integration of firewall packet filtering with VPN traffic

Auditing the VPN to make sure it is performing acceptably

The Need for a VPN Policy

Identify who can use the VPNEnsure that all users know what constitutes proper use of the VPN Whether and how authentication is to be used Whether split tunneling is permitted How long users can be connected at any one

session Whether virus protection is included

Packet Filtering and VPNs

Encryption and decryption of data can be performed either outside the packet-filtering perimeter or inside it

PPTP Filter Rules

L2TP and IPSecPacket-Filtering Rules

Auditing and Testing the VPN

Time consuming

Choose client software that is easy for end users to install on their own to save you time and effort

Chapter Summary

Configuration and operations of VPNs