Presentation is loading. Please wait.

Presentation is loading. Please wait.

Campus VPN service Trevor Grove CSCF March 4, 2011.

Similar presentations


Presentation on theme: "Campus VPN service Trevor Grove CSCF March 4, 2011."— Presentation transcript:

1 Campus VPN service Trevor Grove CSCF March 4, 2011

2 Overview The VPN project What is a VPN and why do I want it (whats it good for)? What do we have? How do I use it? Technical stuff Questions

3 The VPN project The team: – Steve Carr (IST-Client Services) – Trevor Grove (CSCF) – Mike Patterson (IST-IT Security) – Jason Testart (IST) – Shawn Winnington-Ball (IST-CSS Unix) – Hong Zheng (IST-CSS Windows) And community testers Summer/Fall 2010; P.O. issued December

4 The what and why VPN: Virtual Private Network – Google define: vpnGoogle define: vpn – tunnels, connect to a workplace, private connection, etc. – Using the public Internet to securely connect a remote computer to the uWaterloo network – Make the remote computer appear as if it were physically connected on campus

5 Why? (What does it do?) Off-campus computers are subject to network restrictions: – Campus border policies, e.g. Windows file sharing – uWaterloo-only websites & resources – Campus interior addresses (172.16/12) – ISP restrictions (message sizes, protocol ports) A VPN connection bypasses these, and makes the client look like it is on campus Improved telecommuting is a key component to the campus pandemic plan

6 Why, 2 VPN connections are encrypted end-to-end – Like https, but for everything: , file-sharing, web-browsing, remote desktop – Uses same technology as web ssl Provides the basis for improved campus border security – Restrict protocols at the desktop to uWaterloo – Restrict protocols at the border I mostly use it to avoid setting up a myriad of SSH tunnels to places that we lock down to campus subnets, or are in the /12 space

7 Product selection Four products investigated: – OpenVPN (hardware costs, no software costs, per- client cost per year) – Microsoft ForefrontUAG (hardware & software costs, no per-client cost) – Juniper SSL VPN Appliance (server costs, per-client cost) – Cisco ASA (server costs, per-client costs) Shortlisted Juniper & Cisco; equivalent functionality, Cisco price advantage

8 So what do we have? Cisco ASA (Adaptive Security Appliance) servers – Specifically, a pair of ASA 5400s, configured in High Availability mode Licenced for 1,000 simultaneous users (unlimited client installations) – Intended audience: staff, faculty, grad employees Classified as an ssl vpn, uses standard https port – No problems with firewalls needing to allow PPTP or GRE

9 How do I use it? Getting started… https://cn-vpn.uwaterloo.ca

10 Getting started, 2

11 Getting started, 3 Use AnyConnect to plug in on campus:

12 Getting started, 4

13 Getting started, 5 Internet Explorer => Tools => Internet Options => Security

14 Getting started, 6

15 Getting started, 7 …annoying Windows User Account Control prompt… …possible warnings about ActiveX installation…

16 Getting started, 8

17 After client installation WatIAM credentials

18 Ending a session Use task-bar notification icon (lower right)

19 Client platforms Tested under WinXP, Vista, Win7; Mac OSX; Linux Ubuntu – For platforms with no ActiveX technology, will need to download installer package and run – Mac OSX seems to be straightforward – Ubuntu slightly complex installation process: Download installer package & script Run installer script from commandline Tested with Internet Explorer 6+, Firefox 3+, Chrome, Safari

20 How does it work? Before the VPN connection: Internet ISP Destination net: / /12 PC with NIC address potential connection impediments

21 How does it work, 2 After the VPN connection: PC with NIC address VPN client assigned address /22 Client routes campus addresses via VPN Internet ISP Destination net: / /12 VPN Server: route /22 to campus nets

22 Technical details Installs a network pseudo-device on the client Client connects to server, receives a VPN tunnel IP address in /22 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : uwaterloo.ca Description : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 Physical Address : A-3C-7A-00 DHCP Enabled : No Autoconfiguration Enabled.... : Yes … IPv4 Address : (Preferred) Subnet Mask : Default Gateway : DNS Servers : …

23 Technical details, 2 Client routes uWaterloo traffic through the tunnel, other traffic as usual: IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link On-link

24 Technical details, 3 Fewer hops via VPN: – With VPN: C:\Users\trg\Desktop>tracert Tracing route to info.uwaterloo.ca [ ] …: 1 8 ms 58 ms 6 ms v602-cr-rt-phy.uwaterloo.ca [ ] 2 6 ms 4 ms 4 ms re1-0-cr-sa.uwaterloo.ca [ ] 3 7 ms 4 ms 5 ms info.uwaterloo.ca [ ] Trace complete. – Without VPN: 1 12 ms 1 ms 1 ms dccore-nsfw02-cscfnet.uwaterloo.ca [ ] 2 4 ms 4 ms 4 ms dc-cs2-csfwnet.uwaterloo.ca [ ] 3 5 ms 4 ms 5 ms dc-cs1-trk1.uwaterloo.ca [ ] 4 3 ms 2 ms * v720-cn-rt-phy.uwaterloo.ca [ ] 5 5 ms 4 ms 4 ms v1133-cr-rt-phy.uwaterloo.ca [ ] 6 4 ms 2 ms 2 ms re1-0-cr-sa.uwaterloo.ca [ ] 7 3 ms 4 ms 3 ms info.uwaterloo.ca [ ] Trace complete.

25 Technical details, 4 VPN will not forward non-uWaterloo traffic to off-campus – Relies on client to route uWaterloo traffic via the VPN, other traffic as usual Session idle timeout (automatic disconnect) of 30 minutes – But be aware of background processes

26 Questions?


Download ppt "Campus VPN service Trevor Grove CSCF March 4, 2011."

Similar presentations


Ads by Google