Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 Setting Up a Virtual Private Network

Published byMiles Cross Modified over 9 years ago

Similar presentations

Presentation on theme: "11 Setting Up a Virtual Private Network"— Presentation transcript:

1 11 Setting Up a Virtual Private Network
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2nd ed. 11 Setting Up a Virtual Private Network By Whitman, Mattord, & Austin © 2008 Course Technology

2 Learning Objectives Explain the components and essential operations of virtual private networks (VPNs) Describe the different types of VPNs Create VPN setups, such as mesh or hub-and-spoke configurations Choose the right tunneling protocol for your VPN Enable secure remote access for individual users via a VPN Recommend best practices for effective configuration and maintenance of VPNs Firewalls & Network Security, 2nd ed. - Chapter 11

3 Introduction Organizations routinely join LANs to facilitate secure point-to-point communications Private leased lines don’t scale well, utilize complex technology, and are expensive VPNs function like private leased lines Encapsulate and encrypt data being transmitted Use authentication to ensure only approved users gain access VPNs provide secure point-to-point communications over public Internet Firewalls & Network Security, 2nd ed. - Chapter 11

4 VPN Components and Operations
VPNs can be set up with special hardware or with firewall software that includes VPN functionality Many firewalls have VPN systems built in Correctly set up VPN can be a critical component in an organization’s perimeter security configuration Goal of VPNs is to provide a cost-effective and secure way to connect business locations to one another and remote workers to office networks Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 4 4

5 VPN Components VPNs consist of two types of components:
Hardware devices Software that performs security-related activities VPN tunnels have two endpoints or terminators Endpoints: Hardware devices or software modules Encrypt data to secure information Authenticate to ensure host requesting data is an approved user Encapsulate data to protect integrity of information being sent Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 5 5

6 VPN Components (continued)
VPN connection occurs within TCP/IP tunnel Tunnel: channel or pathway of networks used by VPN that runs through the Internet from one endpoint to another “Tunnel” can be misleading as it implies: There is a single cable joining endpoints Only approved VPN users can utilize that cable In reality, VPN “tunnel” is virtual Using the Internet keeps costs down and simplifies setup of VPN but can also add uncertainty to communications Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 6 6

7 VPN Components (continued)
Endpoint devices can be one of the following: A server running a tunneling protocol A VPN appliance (a special hardware device devoted to setting up VPN communications) A firewall/VPN combination A router-based VPN (routers that support IPSec can be set up on perimeter of connected LANs) VPN scenario may also include: Certificate servers: manage certificates Client computers: run VPN client software, allowing remote users LAN access over the VPN Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 7 7

8 Essential Activities of VPNs
Information transferred via VPN travels over the Internet and must be well protected Essential activities that protect data are: IP encapsulation Data payload encryption Encrypted authentication Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 8 8

9 IP Encapsulation Used to protect VPN data packets
Process of enclosing one packet within another packet that has different IP source and destination information Hides source and destination information of encapsulated packets IP addresses of encapsulated packets can be in the private reserved blocks that are not usually routable over the Internet Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 9 9

10 Data Payload Encryption
VPNs can be configured to fully or partially encrypt data portion of packets Encryption accomplished in one of two ways: Transport method: host encrypts traffic when it is generated; data is encrypted, but not headers Tunnel method: traffic encrypted and decrypted in transit; both header and data portions of packets are encrypted Level of encryption varies Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 10 10

11 Encrypted Authentication
Encryption domain: everything in the protected network and behind the gateway Authentication essential; VPN communication recipients must know sender is approved user Hosts authenticated by exchanging keys Two types of keys: Symmetric keys: keys are the same; hosts exchange same secret key to verify identities Asymmetric keys: participants have private key and public key; public keys exchanged; public key used to encrypt; decrypt using private key Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 11 11

12 Benefits and Drawbacks of VPNs
Secure networking without costly leased lines Encryption/translation handled by dedicated systems, reducing production machine workload Allows control of physical setup Drawbacks: Complex and, if configured improperly, can create significant network vulnerabilities Uses unpredictable and often unreliable Internet Some vendor solutions have more documented security issues than others Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 12 12

13 VPNs Extend Network Boundaries
VPN connections that are “always on” extend your network to locations out of your control Some suggestions for dealing with increased risk presented by these connections: Use of two or more authentication tools to identify remote users Integrate virus protection Use Network Access Control (NAC) Set usage limits Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 13 13

14 Types of VPNs In general, you can set up two types of VPN:
Site-to-site: links two or more networks Client-to-site: makes a network accessible to remote users who need dial-in access These two VPN types are not mutually exclusive Options for configuring VPNs: Hardware systems Software systems Hybrids VPNs need to be able to work with any number of different operating systems or computer types Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 14 14

15 VPN Appliances Hardware device specially designed to terminate VPNs and join multiple LANs Can permit connections between large numbers of users or multiple networks Don’t provide other services such as file sharing and printing Some examples include the SonicWALL series and the Symantec Firewall/VPN appliance Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 15 15

16 Software VPN Systems Generally less expensive than hardware systems
Tend to scale better on fast-growing networks Some examples include F-Secure VPN+ and Novell’s BorderManager VPN services Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 16 16

17 VPN Combinations of Hardware and Software
VPN systems may implement VPN appliance at the central network and use client software at remote end of each VPN connection Most VPN concentrator appliances are capable of operating in one of two modes: Client mode: concentrator acts as software client, enabling users to connect to other remote networks via VPN Network extension mode: concentrator acts as hardware device enabling secure site-to-site VPN connection Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 17 17

18 Combination VPNs VPN system that is “mixed” uses hardware and software from different vendors Challenge: get all pieces of the system to communicate with one another successfully Solution: pick a standard security protocol that is widely used and supported by all devices, such as IPSec Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 18 18

19 VPN Setups With two participants in a VPN, configuration is relatively straightforward in terms of: Expense Technical difficulty Time involved When three or more networks/individuals are connected, several configuration options exist: Mesh Hub-and-spoke Hybrid Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 19 19

20 Mesh Configuration Each participant (network, router, or computer) in the VPN has an approved relationship, called a security association (SA), with every other participant During VPN configuration, each participant must be specifically identified to every other participant using the VPN Before initiating connection, each VPN terminator checks its routing table or SA table to confirm the other participant has an SA with it Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 20 20

21 Mesh VPN Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 21

22 Hub-and-Spoke Configuration
A single VPN router contains records of all SAs in the VPN Any LANs or computers participating in VPN need only connect to central server, not to any other machines in VPN Easy to increase the size of VPN as more branch offices or computers are added Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 22 22

23 Hub-and-Spoke VPN Firewalls & Network Security, 2nd ed. - Chapter 11
Slide 23 23

24 Hybrid Configuration As organizations grow, mesh or hub-and-spoke VPN designs commonly evolve into a mixture of the two Mesh configurations tend to be more efficient; central core linking most important network branches should be mesh configuration; other branch offices added as spokes connecting to VPN router at central office Hybrid setup benefits from strengths of each one—scalability of hub-and-spoke and speed of mesh Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 24 24

25 Configurations and Extranet and Intranet Access
Each VPN endpoint represents extension of corporate network to new location—an extranet Same security measures taken to protect corporate network should be applied to VPN endpoints (firewalls, anti-virus, etc.) VPNs can also be used to give parts of organization access to other areas through corporate intranet VPN users inside organization should have usage limits, anti-virus, and firewall protection, just as outside users should Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 25 25

26 Tunneling Protocols Used with VPNs
In the past, firewalls providing establishment of VPNs used proprietary protocols Such firewalls could only establish connections with remote LANs using same firewall brand Today, widespread acceptance of IPSec protocol with Internet Key Exchange (IKE) system means proprietary protocols are used far less often Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 26 26

27 IPSec/IKE IPSec provides two security methods:
Authenticated Header (AH): authenticates packets Encapsulating Security Payload (ESP): encrypts data portion of packets IPSec can work in two different modes: Transport mode: provides secure communications between hosts Tunnel mode: used to create secure links between two private networks Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 27 27

28 IPSec/IKE (continued)
IPSec/IKE VPN connection process: 1. Request to establish a connection sent 2. Remote host generates random number and sends to machine that made original request 3. Original machine encrypts its pre-shared key using random number and sends to remote host 4. Remote host decrypts key, compares it to its own pre-shared key or keyring; if key matches, remote host encrypts public key using pre-shared key and sends to original machine 5. Original machine uses public key to establish security association (SA) and VPN connection Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 28 28

29 PPTP Point-to-Point Tunneling Protocol (PPTP)
Commonly used to connect to a network using a dial-in modem connection Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data Useful if support for older clients is needed Also useful because packets sent can pass through firewalls that perform Network Address Translation (NAT) Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 29 29

30 L2TP Layer 2 Tunneling Protocol (L2TP)
Extension of Point-to-Point Protocol (PPP) Uses IPSec rather than MPPE to encrypt data Provides secure authenticated remote access by separating connection initiation process from encapsulated data forwarding process Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 30 30

31 PPP Over SSL/PPP Over SSH
Point-to-Point Protocol (PPP) Over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP) Over Secure Shell (SSH) UNIX-based methods for creating VPNs Combine existing tunnel system (PPP) with way of encrypting data in transport (SSL or SSH) SSL: public key encryption system used to provide secure communications over WWW SSH: UNIX secure shell; performs secure authenticated logons and encrypted communications; requires pre-shared key Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 31 31

32 VPN Protocols and Their Uses
Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 32 32

33 Enabling Remote Access Connections within VPNs
To enable remote user to connect to VPN, user must be issued VPN client software User’s computer should be equipped with a firewall and anti-virus software Key may need to be obtained for remote user if IPSec is used to make VPN connection Problems may be encountered finding phone provider having dial-up numbers in all locations Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 33 33

34 Configuring the Server
If firewall-based VPN is used, client computer must be identified Check Point FireWall-1 calls the process defining a network object Major operating systems incorporate their own methods of providing secure remote access Linux uses IP Masquerade feature Windows XP and 2000 include New Connection Wizard Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 34 34

35 Configuring Clients Involves installing and configuring VPN client software or using New Connection Wizard FireWall-1 uses SecuRemote that enables connections to hosts or networks via VPN Important issues to consider: Will client software work with all client platforms Is client workstation itself firewall protected Because each VPN connection is potential opening for viruses and hackers, requirement that remote hosts be protected with firewalls should be part of organization’s VPN policy Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 35 35

36 VPN Best Practices Successful operation of VPN depends not only on hardware and software components and overall configuration Also depends on a number of best practices These include: Security policy rules specific to the VPN Integration of firewall packet filtering with VPN traffic Auditing VPN to ensure acceptable performance Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 36 36

37 The Need for a VPN Policy
Essential for identifying who can use the VPN and for ensuring all users know what constitutes proper use Can be a separate stand-alone policy or part of a larger security policy Points to cover include but are not limited to: Who is permitted to have VPN access Whether authentication is to be used and how Whether split tunneling is permitted How long users can be connected in one session Whether virus protection is included Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 37 37

38 Packet Filtering and VPNs
Decision must be made early as to where data encryption and decryption will be performed in relation to packet filtering Encryption and decryption can occur either inside or outside the packet-filtering perimeter Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 38 38

39 PPTP Filters PPTP commonly used when older clients need to connect to a network through a VPN or when a tunnel must pass through a firewall that performs NAT For PPTP traffic to pass through a firewall, packet-filtering rules must permit such communications Incoming PPTP connections on TCP Port 1723 PPTP packets use Generic Routing Encapsulating (GRE) packets identified by protocol identification number ID 47 Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 39 39

40 L2TP and IPSec Packet-Filtering Rules
L2TP uses IPSec to encrypt traffic as it passes through the firewall Packet-filtering rules must be set up that cover IPSec traffic Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 40 40

41 Auditing and Testing the VPN
Each VPN computer client should be tested VPN should be checked to ensure component reliability and acceptable file transfer rates If parts of network frequently fail, switch ISPs If ISP switch is needed, consider the following: How often does network go offline? Are there backup servers to keep customers online if primary server goes down? Are there backup power supplies in case of a power outage? How far is the network backbone? Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 41 41

42 Chapter Summary VPNs: Provide secure point-to-point communications over the public Internet Used for e-commerce and telecommuting Can be set up with special hardware or with firewall software that includes VPN functionality Are a critical component in an organization’s perimeter security configuration Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 42 42

43 Chapter Summary (continued)
VPN data travels over public networks and needs to be well protected Essential data protection activities: IP encapsulation Data payload encryption Encrypted authentication Two different types of VPN: Site-to-site Client-to-site The two are not necessarily mutually exclusive Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 43 43

44 Chapter Summary (continued)
VPN configurations: Mesh configuration: each participant has an approved relationship with every other participant Hub-and-spoke arrangement: single, central VPN router contains records of all associations; any other participants connect only to central server Hybrid setup: mixture that often evolves from the other configuration types as organization grows Widespread use of IPSec with Internet Key Exchange (IKE) means proprietary protocols used far less often Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 44 44

45 Chapter Summary (continued)
IPSec provides two security methods: Authenticated Header (AH): authenticates packets Encapsulating Security Payload (ESP): encrypts the data portion of packets Both methods can be used together Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 45 45

46 Chapter Summary (continued)
Point-to-Point Tunneling Protocol (PPTP) used to connect to network using dial-in modem Layer 2 Tunneling Protocol (L2TP) extension of protocol long used for dial-up connections on the Internet, Point-to-Point Protocol (PPP) Point-to-Point Protocol (PPP) Over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP) Over Secure Shell (SSH) UNIX-based methods for creating VPNs Combine existing tunnel system (PPP) with data encryption in transport (SSL or SSH) Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 46 46

47 Chapter Summary (continued)
To enable remote user to connect to a VPN, issue that user VPN client software Make sure user’s computer has anti-virus software and a firewall May need to obtain key for remote user if using IPSec to make VPN connection VPN best practices include: Security policy rules specific to the VPN Integration of firewall packet filtering and VPN traffic Auditing VPN to ensure acceptable performance Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 47 47

Download ppt "11 Setting Up a Virtual Private Network"

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.

VPN: Virtual Private Network Presented by: Germaine Bacon Lizzi Beduya Betty Huang Jun Mitsuoka Juliet Polintan.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.

VIRTUAL PRIVATE NETWORKS (VPN). GROUP MEMBERS ERVAND AKOPYAN ORLANDO CANTON JR. JUAN DAVID OROZCO.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

Similar presentations

Ads by Google