Chapter 11: Setting up a Virtual Private Network

Learning Objectives  Explain the components and essential operations of virtual private networks (VPNs)  Describe the different types of VPNs  Create VPN setups, such as mesh or hub-and- spoke configurations  Choose the right tunneling protocol for your VPN  Enable secure remote access for individual users via a VPN  Recommend best practices for effective configuration and maintenance of VPNs 7/19IS 3200, Summer

Introduction  Organizations routinely join LANs to facilitate secure point-to-point communications  Private leased lines don’t scale well, utilize complex technology, and are expensive  VPNs function like private leased lines  Encapsulate and encrypt data being transmitted  Use authentication to ensure only approved users gain access  VPNs provide secure point-to-point communications over public Internet 7/19IS 3200, Summer

VPN Components and Operations  VPNs can be set up with special hardware or with firewall software that includes VPN functionality  Many firewalls have VPN systems built in  Correctly set up VPN can be a critical component in an organization’s perimeter security configuration  Goal of VPNs is to provide a cost-effective and secure way to connect business locations to one another and remote workers to office networks IS 3200, Summer /19

VPN Components  VPNs consist of two types of components:  Hardware devices  Software that performs security-related activities  VPN tunnels have two endpoints or terminators  Endpoints:  Hardware devices or software modules  Encrypt data to secure information  Authenticate to ensure host requesting data is an approved user  Encapsulate data to protect integrity of information being sent 7/19IS 3200, Summer

VPN Components (continued)  VPN connection occurs within TCP/IP tunnel  Tunnel: channel or pathway of networks used by VPN that runs through the Internet from one endpoint to another  “Tunnel” can be misleading as it implies:  There is a single cable joining endpoints  Only approved VPN users can utilize that cable  In reality, VPN “tunnel” is virtual  Using the Internet keeps costs down and simplifies setup of VPN but can also add uncertainty to communications 7/19IS 3200, Summer

VPN Components (continued)  Endpoint devices can be one of the following:  A server running a tunneling protocol  A VPN appliance (a special hardware device devoted to setting up VPN communications)  A firewall/VPN combination  A router-based VPN (routers that support IPSec can be set up on perimeter of connected LANs)  VPN scenario may also include:  Certificate servers: manage certificates  Client computers: run VPN client software, allowing remote users LAN access over the VPN 7/19IS 3200, Summer

Essential Activities of VPNs  Information transferred via VPN travels over the Internet and must be well protected  Essential activities that protect data are:  IP encapsulation  Data payload encryption  Encrypted authentication 7/19IS 3200, Summer

IP Encapsulation  Used to protect VPN data packets  Process of enclosing one packet within another packet that has different IP source and destination information  Hides source and destination information of encapsulated packets  IP addresses of encapsulated packets can be in the private reserved blocks that are not usually routable over the Internet 7/19IS 3200, Summer

Data Payload Encryption  VPNs can be configured to fully or partially encrypt data portion of packets  Encryption accomplished in one of two ways:  Transport method: host encrypts traffic when it is generated; data is encrypted, but not headers  Tunnel method: traffic encrypted and decrypted in transit; both header and data portions of packets are encrypted  Level of encryption varies 7/19IS 3200, Summer

Encrypted Authentication  Encryption domain: everything in the protected network and behind the gateway  Authentication essential; VPN communication recipients must know sender is approved user  Hosts authenticated by exchanging keys  Two types of keys:  Symmetric keys: keys are the same; hosts exchange same secret key to verify identities  Asymmetric keys: participants have private key and public key; public keys exchanged; public key used to encrypt; decrypt using private key 7/19IS 3200, Summer

Benefits and Drawbacks of VPNs  Benefits:  Secure networking without costly leased lines  Encryption/translation handled by dedicated systems, reducing production machine workload  Allows control of physical setup  Drawbacks:  Complex and, if configured improperly, can create significant network vulnerabilities  Uses unpredictable and often unreliable Internet  Some vendor solutions have more documented security issues than others 7/19IS 3200, Summer

VPNs Extend Network Boundaries  VPN connections that are “always on” extend your network to locations out of your control  Some suggestions for dealing with increased risk presented by these connections:  Use of two or more authentication tools to identify remote users  Integrate virus protection  Use Network Access Control (NAC)  Set usage limits 7/19IS 3200, Summer

Types of VPNs  In general, you can set up two types of VPN:  Site-to-site: links two or more networks  Client-to-site: makes a network accessible to remote users who need dial-in access  These two VPN types are not mutually exclusive  Options for configuring VPNs:  Hardware systems  Software systems  Hybrids  VPNs need to be able to work with any number of different operating systems or computer types 7/19IS 3200, Summer

VPN Appliances  Hardware device specially designed to terminate VPNs and join multiple LANs  Can permit connections between large numbers of users or multiple networks  Don’t provide other services such as file sharing and printing  Some examples include the SonicWALL series and the Symantec Firewall/VPN appliance 7/19IS 3200, Summer

Software VPN Systems  Generally less expensive than hardware systems  Tend to scale better on fast-growing networks  Some examples include F-Secure VPN+ and Novell’s BorderManager VPN services 7/19IS 3200, Summer

VPN Combinations of Hardware and Software  VPN systems may implement VPN appliance at the central network and use client software at remote end of each VPN connection  Most VPN concentrator appliances are capable of operating in one of two modes:  Client mode: concentrator acts as software client, enabling users to connect to other remote networks via VPN  Network extension mode: concentrator acts as hardware device enabling secure site-to-site VPN connection 7/19IS 3200, Summer

Combination VPNs  VPN system that is “mixed” uses hardware and software from different vendors  Challenge: get all pieces of the system to communicate with one another successfully  Solution: pick a standard security protocol that is widely used and supported by all devices, such as IPSec 7/19IS 3200, Summer

VPN Setups  With two participants in a VPN, configuration is relatively straightforward in terms of:  Expense  Technical difficulty  Time involved  When three or more networks/individuals are connected, several configuration options exist:  Mesh  Hub-and-spoke  Hybrid 7/19IS 3200, Summer

Mesh Configuration  Each participant (network, router, or computer) in the VPN has an approved relationship, called a security association (SA), with every other participant  During VPN configuration, each participant must be specifically identified to every other participant using the VPN  Before initiating connection, each VPN terminator checks its routing table or SA table to confirm the other participant has an SA with it 7/19IS 3200, Summer

Mesh VPN 7/19IS 3200, Summer

Hub-and-Spoke Configuration  A single VPN router contains records of all SAs in the VPN  Any LANs or computers participating in VPN need only connect to central server, not to any other machines in VPN  Easy to increase the size of VPN as more branch offices or computers are added 7/19IS 3200, Summer

Hub-and-Spoke VPN 7/19IS 3200, Summer

Hybrid Configuration  As organizations grow, mesh or hub-and-spoke VPN designs commonly evolve into a mixture of the two  Mesh configurations tend to be more efficient; central core linking most important network branches should be mesh configuration; other branch offices added as spokes connecting to VPN router at central office  Hybrid setup benefits from strengths of each one—scalability of hub-and-spoke and speed of mesh 7/19IS 3200, Summer

Configurations and Extranet and Intranet Access  Each VPN endpoint represents extension of corporate network to new location—an extranet  Same security measures taken to protect corporate network should be applied to VPN endpoints (firewalls, anti-virus, etc.)  VPNs can also be used to give parts of organization access to other areas through corporate intranet  VPN users inside organization should have usage limits, anti-virus, and firewall protection, just as outside users should 7/19IS 3200, Summer

Tunneling Protocols Used with VPNs  In the past, firewalls providing establishment of VPNs used proprietary protocols  Such firewalls could only establish connections with remote LANs using same firewall brand  Today, widespread acceptance of IPSec protocol with Internet Key Exchange (IKE) system means proprietary protocols are used far less often 7/19IS 3200, Summer

IPSec/IKE  IPSec provides two security methods:  Authenticated Header (AH): authenticates packets  Encapsulating Security Payload (ESP): encrypts data portion of packets  IPSec can work in two different modes:  Transport mode: provides secure communications between hosts  Tunnel mode: used to create secure links between two private networks 7/19IS 3200, Summer

IPSec/IKE (continued)  IPSec/IKE VPN connection process:  1. Request to establish a connection sent  2. Remote host generates random number and sends to machine that made original request  3. Original machine encrypts its pre-shared key using random number and sends to remote host  4. Remote host decrypts key, compares it to its own pre-shared key or keyring; if key matches, remote host encrypts public key using pre-shared key and sends to original machine  5. Original machine uses public key to establish security association (SA) and VPN connection 7/19IS 3200, Summer

PPTP  Point-to-Point Tunneling Protocol (PPTP)  Commonly used to connect to a network using a dial-in modem connection  Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data  Useful if support for older clients is needed  Also useful because packets sent can pass through firewalls that perform Network Address Translation (NAT) 7/19IS 3200, Summer

L2TP  Layer 2 Tunneling Protocol (L2TP)  Extension of Point-to-Point Protocol (PPP)  Uses IPSec rather than MPPE to encrypt data  Provides secure authenticated remote access by separating connection initiation process from encapsulated data forwarding process 7/19IS 3200, Summer

PPP Over SSL/PPP Over SSH  Point-to-Point Protocol (PPP) Over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP) Over Secure Shell (SSH)  UNIX-based methods for creating VPNs  Combine existing tunnel system (PPP) with way of encrypting data in transport (SSL or SSH)  SSL: public key encryption system used to provide secure communications over WWW  SSH: UNIX secure shell; performs secure authenticated logons and encrypted communications; requires pre-shared key 7/19IS 3200, Summer

VPN Protocols and Their Uses 7/19IS 3200, Summer

Enabling Remote Access Connections within VPNs  To enable remote user to connect to VPN, user must be issued VPN client software  User’s computer should be equipped with a firewall and anti-virus software  Key may need to be obtained for remote user if IPSec is used to make VPN connection  Problems may be encountered finding phone provider having dial-up numbers in all locations 7/19IS 3200, Summer

Configuring the Server  If firewall-based VPN is used, client computer must be identified  Check Point FireWall-1 calls the process defining a network object  Major operating systems incorporate their own methods of providing secure remote access  Linux uses IP Masquerade feature  Windows XP and 2000 include New Connection Wizard 7/19IS 3200, Summer

Configuring Clients  Involves installing and configuring VPN client software or using New Connection Wizard  FireWall-1 uses SecuRemote that enables connections to hosts or networks via VPN  Important issues to consider:  Will client software work with all client platforms  Is client workstation itself firewall protected  Because each VPN connection is potential opening for viruses and hackers, requirement that remote hosts be protected with firewalls should be part of organization’s VPN policy 7/19IS 3200, Summer

VPN Best Practices  Successful operation of VPN depends not only on hardware and software components and overall configuration  Also depends on a number of best practices  These include:  Security policy rules specific to the VPN  Integration of firewall packet filtering with VPN traffic  Auditing VPN to ensure acceptable performance 7/19IS 3200, Summer

The Need for a VPN Policy  Essential for identifying who can use the VPN and for ensuring all users know what constitutes proper use  Can be a separate stand-alone policy or part of a larger security policy  Points to cover include but are not limited to:  Who is permitted to have VPN access  Whether authentication is to be used and how  Whether split tunneling is permitted  How long users can be connected in one session  Whether virus protection is included 7/19IS 3200, Summer

Packet Filtering and VPNs  Decision must be made early as to where data encryption and decryption will be performed in relation to packet filtering  Encryption and decryption can occur either inside or outside the packet-filtering perimeter 7/19IS 3200, Summer

PPTP Filters  PPTP commonly used when older clients need to connect to a network through a VPN or when a tunnel must pass through a firewall that performs NAT  For PPTP traffic to pass through a firewall, packet-filtering rules must permit such communications  Incoming PPTP connections on TCP Port 1723  PPTP packets use Generic Routing Encapsulating (GRE) packets identified by protocol identification number ID 47 7/19IS 3200, Summer

L2TP and IPSec Packet-Filtering Rules  L2TP uses IPSec to encrypt traffic as it passes through the firewall  Packet-filtering rules must be set up that cover IPSec traffic 7/19IS 3200, Summer

Auditing and Testing the VPN  Each VPN computer client should be tested  VPN should be checked to ensure component reliability and acceptable file transfer rates  If parts of network frequently fail, switch ISPs  If ISP switch is needed, consider the following:  How often does network go offline?  Are there backup servers to keep customers online if primary server goes down?  Are there backup power supplies in case of a power outage?  How far is the network backbone? 7/19IS 3200, Summer

Chapter Summary  VPNs:  Provide secure point-to-point communications over the public Internet  Used for e-commerce and telecommuting  Can be set up with special hardware or with firewall software that includes VPN functionality  Are a critical component in an organization’s perimeter security configuration 7/19IS 3200, Summer

Chapter Summary (continued)  VPN data travels over public networks and needs to be well protected  Essential data protection activities:  IP encapsulation  Data payload encryption  Encrypted authentication  Two different types of VPN:  Site-to-site  Client-to-site  The two are not necessarily mutually exclusive 7/19IS 3200, Summer

Chapter Summary (continued)  VPN configurations:  Mesh configuration: each participant has an approved relationship with every other participant  Hub-and-spoke arrangement: single, central VPN router contains records of all associations; any other participants connect only to central server  Hybrid setup: mixture that often evolves from the other configuration types as organization grows  Widespread use of IPSec with Internet Key Exchange (IKE) means proprietary protocols used far less often 7/19IS 3200, Summer

Chapter Summary (continued)  IPSec provides two security methods:  Authenticated Header (AH): authenticates packets  Encapsulating Security Payload (ESP): encrypts the data portion of packets  Both methods can be used together 7/19IS 3200, Summer

Chapter Summary (continued)  Point-to-Point Tunneling Protocol (PPTP) used to connect to network using dial-in modem  Layer 2 Tunneling Protocol (L2TP) extension of protocol long used for dial-up connections on the Internet, Point-to-Point Protocol (PPP)  Point-to-Point Protocol (PPP) Over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP) Over Secure Shell (SSH)  UNIX-based methods for creating VPNs  Combine existing tunnel system (PPP) with data encryption in transport (SSL or SSH) 7/19IS 3200, Summer

Chapter Summary (continued)  To enable remote user to connect to a VPN, issue that user VPN client software  Make sure user’s computer has anti-virus software and a firewall  May need to obtain key for remote user if using IPSec to make VPN connection  VPN best practices include:  Security policy rules specific to the VPN  Integration of firewall packet filtering and VPN traffic  Auditing VPN to ensure acceptable performance 7/19IS 3200, Summer