Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Slides:

Advertisements

Similar presentations

Encrypting Wireless Data with VPN Techniques

Advertisements

Internet Protocol Security (IP Sec)

Guide to Network Defense and Countermeasures Second Edition

1 Intel / Shiva VPN Solutions Stephen Wong System Engineer.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Module 5: Configuring Access for Remote Clients and Networks.

SCSC 455 Computer Security Virtual Private Network (VPN)

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Configuring Virtual Private Networks for Remote Clients and Networks.

Guide to Network Defense and Countermeasures Second Edition

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Virtual Private Networking Karlene R. Samuels COSC513.

Internet Security Seminar Class CS591 Presentation Topic: VPN.

Internet Protocol Security (IPSec)

Remote Networking Architectures

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Virtual Private Network

Chapter 11: Dial-Up Connectivity in Remote Access Designs

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Understanding VPN Concepts Virtual Private Network (VPN) enables computers to –Communicate securely over insecure channels –Exchange private encrypted.

Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.

Network+ Guide to Networks 6 th Edition Chapter 10 Virtual Networks and Remote Access.

Configuring Routing and Remote Access(RRAS) and Wireless Networking

Virtual Private Networks An Economical Option for Broadband Connectivity.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Virtual Private Network (VPN) SCSC 455. VPN A virtual private network that is established over, in general, the Internet – It is virtual because it exists.

Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.

1. Collision domains are unsecure 2. The employees often need to remote access to corporate network resources  The Internet traffic is much more vulnerable.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Virtual Private Network (VPN). ©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential “ If saving money is wrong, I don’t want.

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

VPN Protocol What is a VPN? A VPN is A network that uses Internet or other network service to transmit data. A VPN includes authentication and.

11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.

70-411: Administering Windows Server 2012

1 Chapter 8 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Module 11: Remote Access Fundamentals

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

Virtual Private Network (VPN) Topics Discussion What is a VPN? What is a VPN?  Types of VPN  Why we use VPN?  Disadvantage of VPN  Types of.

Guide to Firewalls and VPNs, 3 rd Edition Chapter Ten Setting Up A Virtual Private Network.

BZUPAGES.COM. What is a VPN VPN is an acronym for Virtual Private Network. A VPN provides an encrypted and secure connection "tunnel" path from a user's.

1 Virtual Private Network (VPN) Course: COSC513 Instructor: Professor M. Anvari Student: Xinguang Wang.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

Virtual Private Network (VPN)

©2001 Check Point Software Technologies Ltd. - Proprietary & Confidential outline What is a VPN? What is a VPN?  Types of VPN.

Guide to Network Defense and Countermeasures Third Edition

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 7 VPN Fundamentals.

Securing Access to Data Using IPsec Josh Jones Cosc352.

VIRTUAL PRIVATE NETWORKS Lab#9. 2 Virtual Private Networks (VPNs)  Institutions often want private networks for security.  Costly! Separate routers,

Virtual Private Network Wo Yan Lam. Overview What is Virtual Private Network Different types of VPN –Remote-Access VPN –Site-to-site VPN Security features.

Virtual Private Network Technology Nikki London COSC 352 March 2, 2010.

SECURITY IN VIRTUAL PRIVATE NETWORKS PRESENTED BY : NISHANT SURESH.

Virtual Private Networks

Microsoft Windows NT 4.0 Authentication Protocols

Presentation transcript:

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices

Copyright Microsoft Corp Design Goals: Client Remote Access Transmitted data is encrypted between endpoints. Intercepted data on Internet should be unreadable. Information altered or spoofed by hacker is rejected. Client and server can verify each other’s identity. Client and server connection cannot be hijacked. Remote access services availability. Services can be managed with existing infrastructure tools and technologies. Open, non-proprietary standards are built into design.

Copyright Microsoft Corp Design Goals: Site-to-Site VPNs Transmitted data is encrypted between endpoints. Intercepted data on Internet should be unreadable. Information altered or spoofed by hacker is rejected. Site-to-Site end points can verify each other’s identity. Site-to-Site connection cannot be hijacked. Remote access services availability. Routes are available across the entire network, LAN, and VPN from all endpoints. Services can be managed with existing infrastructure tools and technologies.

Copyright Microsoft Corp Design Options for Remote Access Remote Client Access Option 1: Dial-up Remote Access Option 2: VPN Remote Access Site-to-Site Access Option 1: Dial-up Remote Access Option 2: Fixed Links Option 3: VPN Site-to-Site Access

Copyright Microsoft Corp VPN Technologies

Copyright Microsoft Corp What Is a Virtual Private Network? Flexible and cost-effective mesh topology Reduced hardware and maintenance costs Reduced client-to-site connection costs Reduced site-to-site connection costs High-speed access to enterprise resources Flexible, secure communication channels Rapid connection of new sites at a lower cost Centralized authentication services

Copyright Microsoft Corp VPN Technologies Option 1: Server-based VPNs Advantages Capitalize on current investments Standard Windows tools Option 2: Hardware-based VPNs Advantages High network throughput Secure remote administration Highly configurable Option 3: Third-party Managed VPN Services Advantages Low cost Outsourced installation and support Availability Disadvantages Patch management requirement Consolidation risk to VPN server DisadvantagesExpensive Proprietary client software Requirement of specialized skills Disadvantages Loss of control Loss of flexibility

Copyright Microsoft Corp VPN Design Process Devices Hardware-based VPN device Windows Server 2003 Communication protocol PPTP (Point to Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) Authentication protocol MS-CHAP v2 Extensible authentication protocol and transport layer protocol End-to-end encryption level StrongStrongest

Copyright Microsoft Corp Other Design Challenges VPN solution consolidation Dedicated devices for each solution Consolidate on a single device or on a cluster Placement of VPN devices In front of the firewall Behind the firewall Next to the firewall VPN consolidated firewall Load balancing the solution Round-robin DNS Hardware-based load balancing Software-based load balancing

Copyright Microsoft Corp Client Remote Access Design

Copyright Microsoft Corp Selecting VPN Devices Option 1: Hardware-based VPN Device Advantages Dedicated solution Scalable solution Reliability Option 2: Windows Server 2003 Server Advantages Common platform Consolidation potential Proven technology Disadvantages Proprietary software (may be) Higher cost Support overhead Disadvantages Patch management VPN dependencies

Copyright Microsoft Corp Selecting VPN Protocols Option 1: Point to Point Tunneling Protocol (PPTP) Advantages Client support Firewall support Provides data confidentiality Low encryption overhead Option 2: Layer 2 Tunneling Protocol (L2TP) Advantages Origin, integrity, replay, and confidentiality protection and confidentiality protection Strong authentication Windows client support Disadvantages No data integrity check Requires MS-CHAP v2 Disadvantages Encryption overhead Requires certificate infrastructure or infrastructure or pre-shared key pre-shared key

Copyright Microsoft Corp Selecting VPN Authentication Protocol Option 1: MS-CHAP v2 Password-based authentication protocols. Used in absence of certificates or smart cards. Option 2: EAP-TLS (Certificates or Smart Cards) Designed for use with a certificate infrastructure and either certificates or smart cards. Strongest authentication method since it does not rely on passwords.

Copyright Microsoft Corp Selecting VPN Authentication Method Option 1: Windows Authentication Advantage Existing infrastructure Option 2: Internet Authentication Service (IAS) Advantages Increased security Logging Apply policies Disadvantage Management is not scalable Disadvantage Increased management costs

Copyright Microsoft Corp Site-to-Site VPN Design

Copyright Microsoft Corp Selecting Site-to-Site VPN Devices Option 1: Hardware-based VPN Devices Advantages Dedicated solution Scalable solution Reliability Easy to install Option 2: Hardware-based VPN Device at Branch Office and Windows Server 2003 at Corporate Office and Windows Server 2003 at Corporate OfficeAdvantages Simple deployment Ease of installation Scalability & Management Disadvantages Proprietary software (may be) Vendor restrictions Additional licensing costs Disadvantages Support costs

Copyright Microsoft Corp Selecting Site-to-Site VPN Devices Option 3: Windows Server 2003 to Connect Branch and Corporate Offices Corporate OfficesAdvantages Common platform Consolidation potential Proven technology Hardware reuse No additional costs Disadvantages Patch management VPN dependencies

Copyright Microsoft Corp Selecting Site-to-Site VPN Communication Protocols Option 1: Layer Two Tunneling Protocol / Internet Protocol Security Protocol SecurityAdvantages Origin, integrity, replay, and confidentiality protection and confidentiality protection Strong authentication Option 2: Pure Internet Protocol Security Tunnel AdvantagesInteroperability Provides for gateway-to-gateway gateway-to-gateway tunneling tunneling Disadvantage Encryption Overhead Disadvantages May not support user-based authentication user-based authentication Potential vulnerabilities

Copyright Microsoft Corp Site-to-Site Authentication Protocols Option 1: Certificate-based Authentication Advantages Devices uniquely certified Flexible deployment Option 2: Internet Protocol Security with Shared Secret AdvantageStandards-based interoperability interoperability Disadvantage Maintenance Overhead Disadvantages Shared secret vulnerability Password update overhead Weak authentication

Copyright Microsoft Corp Other Design Challenges

Copyright Microsoft Corp VPN Solution Consolidation Option 1: Dedicated Devices for Each Solution Advantages Limited impact on availability Independent management Appropriate cost allocation Option 2: Consolidate Solutions on Single Device or Cluster Advantages Cost savings Load balanced Disadvantage Higher Costs Disadvantage One service affects other

Copyright Microsoft Corp Placement of VPN Devices Option 1: VPN Server in Front of the Firewall Advantages Separate VPN service Simple configuration No bandwidth restrictions Firewall security policy can be applied to clients be applied to clients Disadvantages VPN not protected by firewall Multiple connection logging

Copyright Microsoft Corp Placement of VPN Devices (cont’d)… Option 2: VPN Server Behind the Firewall Advantages VPN can use firewall filtering and logging filtering and loggingVPN-specific IP address not required IP address not required VPN security Disadvantages Firewall rules Bandwidth limitations

Copyright Microsoft Corp Placement of VPN Devices (cont’d)… Option 3: VPN Server and Firewall Side by Side on the Same Internet Segment. Same Internet Segment.Advantages Separate VPN service Simple configuration Independent management Firewall licensing Disadvantages Bandwidth limitations VPN not protected by firewall

Copyright Microsoft Corp Placement of VPN Devices (cont’d)… Option 4: VPN Consolidated Firewall Design AdvantagesCost-effectiveManageable Disadvantages Potential service conflicts Delegation restrictions

Copyright Microsoft Corp Best Practices

Copyright Microsoft Corp Availability Two ISPs should be used at sites to connect to Internet. At least two VPN servers should be used at sites. At least two VPN servers and two ISPs should be used at the branch office site if the availability requirement is high. All network devices, such as routers, switches, and firewalls, placed between two VPN endpoint servers should provide for redundancy.

Copyright Microsoft Corp Security IPSec 168 ‑ bit Triple DES (3DES)MPPE 128 ‑ bit encryption Strongest IPSec 56 ‑ bit DESMPPE 56 ‑ bit data encryption Strong IPSec 56 ‑ bit DESMPPE 40 ‑ bit data encryption Basic No encryption required No Encryption L2TP Encryption RequiredPPTP Encryption Required Encryption Level Encryption Levels and Encryption Support RADIUS Accounting1813/UDP RADIUS Authentication1812/UDP NAT Transversal4500/UDP For ESP trafficIP Protocol 50 IPSec500/UDP PPTP1723/TCP GRE for PPTP47/TCP ProtocolServer Port Ports and Protocols Allowed Through the VPN Server

Copyright Microsoft Corp Remote Access Services Design for Centralized Data Center

Copyright Microsoft Corp. 2006

Remote Access Services Design for Satellite Branch Office

Copyright Microsoft Corp. 2006

Questions ?

Copyright Microsoft Corp © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.