Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trevor Grove CSCF March 4, 2011

Similar presentations


Presentation on theme: "Trevor Grove CSCF March 4, 2011"— Presentation transcript:

1 Trevor Grove CSCF March 4, 2011
Campus VPN service Trevor Grove CSCF March 4, 2011

2 Overview The VPN project
What is a VPN and why do I want it (what’s it good for)? What do we have? How do I use it? Technical stuff Questions

3 The VPN project The team: And community testers
Steve Carr (IST-Client Services) Trevor Grove (CSCF) Mike Patterson (IST-IT Security) Jason Testart (IST) Shawn Winnington-Ball (IST-CSS Unix) Hong Zheng (IST-CSS Windows) And community testers Summer/Fall 2010; P.O. issued December

4 The “what” and “why” VPN: Virtual Private Network Google “define: vpn”
“tunnels”, “connect to a workplace”, “private connection”, etc. Using the public Internet to securely connect a remote computer to the uWaterloo network Make the remote computer appear as if it were physically connected on campus

5 Why? (What does it do?) Off-campus computers are subject to network restrictions: Campus border policies, e.g. Windows file sharing “uWaterloo-only” websites & resources Campus “interior” addresses (172.16/12) ISP restrictions (message sizes, protocol ports) A VPN connection bypasses these, and makes the client look like it is on campus Improved telecommuting is a key component to the campus pandemic plan Service examples: local newsgroups, LDAP server, library OED. Library LexisNexis, \\jam\{n,r,t}, x11/xdmcp

6 Why, 2 VPN connections are encrypted end-to-end
Like https, but for everything: , file-sharing, web-browsing, remote desktop Uses same technology as web “ssl” Provides the basis for improved campus border security Restrict protocols at the desktop to uWaterloo Restrict protocols at the border “I mostly use it to avoid setting up a myriad of SSH tunnels to places that we lock down to campus subnets, or are in the /12 space”

7 Product selection Four products investigated:
OpenVPN (hardware costs, no software costs, per-client cost per year) Microsoft ForefrontUAG (hardware & software costs , no per-client cost) Juniper SSL VPN Appliance (server costs, per-client cost) Cisco ASA (server costs, per-client costs) Shortlisted Juniper & Cisco; equivalent functionality, Cisco price advantage

8 So what do we have? Cisco ASA “(Adaptive Security Appliance”) servers
Specifically, a pair of ASA 5400s, configured in High Availability mode Licenced for 1,000 simultaneous users (unlimited client installations) Intended audience: staff, faculty, grad employees Classified as an “ssl vpn”, uses standard https port No problems with firewalls needing to allow PPTP or GRE

9 How do I use it? Getting started…
https://cn-vpn.uwaterloo.ca

10 Getting started, 2

11 Getting started, 3 Use AnyConnect to “plug in” on campus:

12 Getting started, 4

13 Getting started, 5 Internet Explorer => Tools => Internet Options => Security

14 Getting started, 6

15 Getting started, 7 …annoying Windows “User Account Control” prompt…
…possible warnings about “ActiveX installation”…

16 Getting started, 8

17 After client installation
WatIAM credentials

18 Ending a session Use task-bar notification icon (lower right)

19 Client platforms Tested under WinXP, Vista, Win7; Mac OSX; Linux Ubuntu 10.04 For platforms with no ActiveX technology, will need to download installer package and run Mac OSX seems to be straightforward Ubuntu slightly complex installation process: Download installer package & script Run installer script from commandline Tested with Internet Explorer 6+, Firefox 3+, Chrome, Safari

20 potential connection impediments
How does it work? Before the VPN connection: Internet PC with NIC address Destination net: /16 172.16/12 ISP potential connection impediments

21 How does it work, 2 After the VPN connection:
Internet PC with NIC address VPN client assigned address /22 Client routes campus addresses via VPN Destination net: /16 172.16/12 ISP VPN Server: route /22 to campus nets

22 Technical details Installs a network pseudo-device on the client
Client connects to server, receives a VPN tunnel IP address in /22 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : uwaterloo.ca Description : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 Physical Address : A-3C-7A-00 DHCP Enabled : No Autoconfiguration Enabled : Yes IPv4 Address : (Preferred) Subnet Mask : Default Gateway : DNS Servers :

23 Technical details, 2 Client routes uWaterloo traffic through the tunnel, other traffic as usual: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link ... On-link On-link

24 Technical details, 3 Fewer hops via VPN: With VPN: Without VPN:
C:\Users\trg\Desktop>tracert Tracing route to info.uwaterloo.ca [ ] …: 1 8 ms 58 ms 6 ms v602-cr-rt-phy.uwaterloo.ca [ ] 2 6 ms 4 ms 4 ms re1-0-cr-sa.uwaterloo.ca [ ] 3 7 ms 4 ms 5 ms info.uwaterloo.ca [ ] Trace complete. Without VPN: 1 12 ms 1 ms 1 ms dccore-nsfw02-cscfnet.uwaterloo.ca [ ] 2 4 ms 4 ms 4 ms dc-cs2-csfwnet.uwaterloo.ca [ ] 3 5 ms 4 ms 5 ms dc-cs1-trk1.uwaterloo.ca [ ] 4 3 ms 2 ms * v720-cn-rt-phy.uwaterloo.ca [ ] 5 5 ms 4 ms 4 ms v1133-cr-rt-phy.uwaterloo.ca [ ] 6 4 ms 2 ms 2 ms re1-0-cr-sa.uwaterloo.ca [ ] 7 3 ms 4 ms 3 ms info.uwaterloo.ca [ ]

25 Technical details, 4 VPN will not forward non-uWaterloo traffic to off-campus Relies on client to route uWaterloo traffic via the VPN, other traffic as usual Session idle timeout (automatic disconnect) of 30 minutes But be aware of background processes

26 Questions?


Download ppt "Trevor Grove CSCF March 4, 2011"

Similar presentations


Ads by Google