Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Network Defense and Countermeasures Second Edition

Published byHamza Slay Modified over 9 years ago

Similar presentations

Presentation on theme: "Guide to Network Defense and Countermeasures Second Edition"— Presentation transcript:

1 Guide to Network Defense and Countermeasures Second Edition
Chapter 6 VPN Implementation

2 Objectives Explain design considerations for a VPN
Describe options for VPN configuration Explain how to set up VPNs with firewalls Explain how to adjust packet-filtering rules for VPNs Describe guidelines for auditing VPNs and VPN policies Guide to Network Defense and Countermeasures, Second Edition

3 Designing a VPN Assess organization’s needs and goals
Type of business How many employees it has Infrastructure already in place Security required Enforce security on the client side of the VPN tunnel Most difficult aspect of the design process Guide to Network Defense and Countermeasures, Second Edition

4 Business Needs Business processes
Determine how you will implement a VPN strategy Careful analysis of the existing infrastructure Helps you integrate the VPN with minimal disruption VPNs can be classified as site-to-site or client-to-site Can offer cost-effective, secure connectivity Legal implications to failing to secure access to a remote network Guide to Network Defense and Countermeasures, Second Edition

5 Business Needs (continued)
Nature of the business What does it do? What product or service does it sell? Who are its customers? Cost is usually a key factor Narrows the choices of hardware and software Guide to Network Defense and Countermeasures, Second Edition

6 Business Needs (continued)
Nature of the business A secure VPN design should address: Secure connectivity Availability Authentication Secure management Reliability Scalability Performance Guide to Network Defense and Countermeasures, Second Edition

7 Client Security Several ways to increase VPN client security
Split tunneling Describes multiple paths One path goes to the VPN server and is secured Another unauthorized and unsecured path permits users to connect to the Internet While still connected to the corporate VPN Leaves the VPN server and internal LAN vulnerable to attack Guide to Network Defense and Countermeasures, Second Edition

8 Guide to Network Defense and Countermeasures, Second Edition

9 Guide to Network Defense and Countermeasures, Second Edition

10 Client Security (continued)
Planning VPN deployment Consider the existing infrastructure Make a network map Decide on the placement of VPN servers Research hardware and software to use Decide whether you need new hardware or software Sometimes you can reconfigure existing resources to support a VPN Develop a list of requirements When you meet a vendor so nothing is overlooked Follow security policy guidelines Guide to Network Defense and Countermeasures, Second Edition

11 Configuring VPNs Define a VPN domain
Set of one or more computers that VPN hardware and software handle as a single entity Computers in a VPN domain use the VPN to communicate with another domain Guide to Network Defense and Countermeasures, Second Edition

12 Guide to Network Defense and Countermeasures, Second Edition

13 Single and Multiple Entry Point Configurations
Determine whether network gateway will be included in the VPN domain Depends on whether your network has a site-to-site or client-to-site VPN configuration Single entry point configuration Typically used by small networks All traffic to and from the network passes through a single gateway Gateway must be a member of the VPN domain Guide to Network Defense and Countermeasures, Second Edition

14 Guide to Network Defense and Countermeasures, Second Edition

15 Single and Multiple Entry Point Configurations (continued)
Typically used by large organizations Multiple gateways are used Each with a VPN tunnel connecting a different location Gateway must be excluded from the VPN domain Otherwise all traffic will be encrypted reducing performance unnecessarily Make sure VPN domains do not overlap Guide to Network Defense and Countermeasures, Second Edition

16 Guide to Network Defense and Countermeasures, Second Edition

17 VPN Topology Configurations
How components in a network are connected physically to one another Determines how gateways, networks, and clients are related to each other Corresponds to the basic physical and logical topologies of any network Guide to Network Defense and Countermeasures, Second Edition

18 VPN Topology Configurations (continued)
Mesh topology All participants in the VPN have Security Associations (SAs) with one another Types of mesh arrangements Full mesh Every subnetwork is connected to all other subnets in the VPN Complex to manage Partial mesh Any subnet in the VPN may or may not be connected to the other subnets Guide to Network Defense and Countermeasures, Second Edition

19 Guide to Network Defense and Countermeasures, Second Edition

20 VPN Topology Configurations (continued)
Star topology Also known as a hub-and-spoke configuration VPN gateway is the hub Networks that participate in the VPN are called rim subnetworks Separate SAs are made between the hubs of each rim subnetwork in the star configuration Central VPN router is at organization’s central office Any LANs or computers that want to participate need to connect only to the central server Guide to Network Defense and Countermeasures, Second Edition

21 Guide to Network Defense and Countermeasures, Second Edition

22 VPN Topology Configurations (continued)
Hybrid topology Combines two different network topologies Central core uses a mesh topology Mesh topologies tend to operate more efficiently Branch offices can be connected using a star topology Benefits from strengths of each topology Scalability (of the star topology) Speed (of the mesh configuration) Guide to Network Defense and Countermeasures, Second Edition

23 Guide to Network Defense and Countermeasures, Second Edition

24 Using VPNs with Firewalls
VPNs do not reduce the need for a firewall Always use a firewall as part of VPN security design Install VPN software on the firewall itself Firewall allows outbound access to the Internet Firewall prevents inbound access from the Internet VPN service encrypts traffic to remote clients or networks Guide to Network Defense and Countermeasures, Second Edition

25 Using VPNs with Firewalls (continued)
Install VPN software on the firewall itself Advantages Control all network access security from one server Fewer computers to manage Use the same tools for VPN and firewall Disadvantages Single point of failure Must configure routes carefully Internet access and VPN traffic compete for resources on the server Guide to Network Defense and Countermeasures, Second Edition

26 Guide to Network Defense and Countermeasures, Second Edition

27 Using VPNs with Firewalls (continued)
Set up VPN parallel to your firewall inside the DMZ Advantages No need to modify firewall settings to support VPN traffic Configuration scales more easily Can deal with congested servers Disadvantages VPN server is connected directly to the Internet If VPN server becomes compromised, attacker will have direct access to your internal network Cost of supporting a VPN increases with new servers Guide to Network Defense and Countermeasures, Second Edition

28 Guide to Network Defense and Countermeasures, Second Edition

29 Using VPNs with Firewalls (continued)
Set up VPN server behind the firewall connected to the internal network Advantages VPN server is completely protected from the Internet Firewall is the only device controlling access VPN traffic restrictions are configured on VPN server Disadvantages VPN traffic must travel through the firewall Firewall must handle VPN traffic Firewall might not know what to do with IP protocols other than ICMP, TCP, and UDP Guide to Network Defense and Countermeasures, Second Edition

30 Guide to Network Defense and Countermeasures, Second Edition

31 Adjusting Packet-Filtering Rules for VPNs
Perimeter firewall filters packets VPN sends or receives Packet filtering is based on header fields of inbound and outbound packets IP packet header fields used by packet filtering Source address Destination address Protocol identifier You can conduct packet filtering based on any or all of these header fields Guide to Network Defense and Countermeasures, Second Edition

32 PPTP Filters PPTP First widely supported VPN protocol
Supports legacy authentication methods Does not require PKI Might be only option when VPN connections pass through NAT PPTP uses two protocols TCP GRE Guide to Network Defense and Countermeasures, Second Edition

33 Guide to Network Defense and Countermeasures, Second Edition

34 L2TP and IPSec Filters Need to set up rules that permit IPSec traffic
IKE uses protocol ID 171 and UDP on port 500 ESP uses protocol ID 50 AH uses protocol ID 51 Guide to Network Defense and Countermeasures, Second Edition

35 Guide to Network Defense and Countermeasures, Second Edition

36 Auditing VPNs and VPN Policies
Auditing needed to make sure organizations have a well-define VPN policy Access policies define standards for connecting to the organization’s network Must be integrated with the security policy Policies should be defined for different levels of restrictions VPN endpoints are as vulnerable as internal network computers Endpoints should also use antivirus software and personal firewalls Guide to Network Defense and Countermeasures, Second Edition

37 Auditing VPNs and VPN Policies (continued)
Test each client that will connect to your LAN Helps prevent network threats You can standardize VPN client for remote users Third-party solutions Cisco Secure VPN Client Nokia VPN Client SonicWALL VPN Client Verify everything is working according to your policies Guide to Network Defense and Countermeasures, Second Edition

38 Summary Business nature helps determine your VPN requirements
Decide placement of VPN servers Research hardware and software to use Establish a VPN domain VPN configurations Single entry point configurations Multiple entry point configurations VPNs need to be used with firewalls Guide to Network Defense and Countermeasures, Second Edition

39 Summary (continued) Adjust packet-filtering rules
To allow PPTP, L2TP, and IPSec traffic Auditing VPNs and VPN policies After you have installed and configured your VPN Work with a knowledgeable remote user Helps determine a baseline for future auditing, testing, and troubleshooting Guide to Network Defense and Countermeasures, Second Edition

Download ppt "Guide to Network Defense and Countermeasures Second Edition"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
11 Setting Up a Virtual Private Network

11 Setting Up a Virtual Private Network
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Firewall Configuration Strategies

Firewall Configuration Strategies
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Similar presentations

Ads by Google