Presentation on theme: "Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices."— Presentation transcript:
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices
Copyright Microsoft Corp. 2006 Design Goals: Client Remote Access Transmitted data is encrypted between endpoints. Intercepted data on Internet should be unreadable. Information altered or spoofed by hacker is rejected. Client and server can verify each other’s identity. Client and server connection cannot be hijacked. Remote access services availability. Services can be managed with existing infrastructure tools and technologies. Open, non-proprietary standards are built into design.
Copyright Microsoft Corp. 2006 Design Goals: Site-to-Site VPNs Transmitted data is encrypted between endpoints. Intercepted data on Internet should be unreadable. Information altered or spoofed by hacker is rejected. Site-to-Site end points can verify each other’s identity. Site-to-Site connection cannot be hijacked. Remote access services availability. Routes are available across the entire network, LAN, and VPN from all endpoints. Services can be managed with existing infrastructure tools and technologies.
Copyright Microsoft Corp. 2006 What Is a Virtual Private Network? Flexible and cost-effective mesh topology Reduced hardware and maintenance costs Reduced client-to-site connection costs Reduced site-to-site connection costs High-speed access to enterprise resources Flexible, secure communication channels Rapid connection of new sites at a lower cost Centralized authentication services
Copyright Microsoft Corp. 2006 VPN Technologies Option 1: Server-based VPNs Advantages Capitalize on current investments Standard Windows tools Option 2: Hardware-based VPNs Advantages High network throughput Secure remote administration Highly configurable Option 3: Third-party Managed VPN Services Advantages Low cost Outsourced installation and support Availability Disadvantages Patch management requirement Consolidation risk to VPN server DisadvantagesExpensive Proprietary client software Requirement of specialized skills Disadvantages Loss of control Loss of flexibility
Copyright Microsoft Corp. 2006 VPN Design Process Devices Hardware-based VPN device Windows Server 2003 Communication protocol PPTP (Point to Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) Authentication protocol MS-CHAP v2 Extensible authentication protocol and transport layer protocol End-to-end encryption level StrongStrongest
Copyright Microsoft Corp. 2006 Other Design Challenges VPN solution consolidation Dedicated devices for each solution Consolidate on a single device or on a cluster Placement of VPN devices In front of the firewall Behind the firewall Next to the firewall VPN consolidated firewall Load balancing the solution Round-robin DNS Hardware-based load balancing Software-based load balancing
Copyright Microsoft Corp. 2006 Client Remote Access Design
Copyright Microsoft Corp. 2006 Selecting VPN Devices Option 1: Hardware-based VPN Device Advantages Dedicated solution Scalable solution Reliability Option 2: Windows Server 2003 Server Advantages Common platform Consolidation potential Proven technology Disadvantages Proprietary software (may be) Higher cost Support overhead Disadvantages Patch management VPN dependencies
Copyright Microsoft Corp. 2006 Selecting VPN Protocols Option 1: Point to Point Tunneling Protocol (PPTP) Advantages Client support Firewall support Provides data confidentiality Low encryption overhead Option 2: Layer 2 Tunneling Protocol (L2TP) Advantages Origin, integrity, replay, and confidentiality protection and confidentiality protection Strong authentication Windows client support Disadvantages No data integrity check Requires MS-CHAP v2 Disadvantages Encryption overhead Requires certificate infrastructure or infrastructure or pre-shared key pre-shared key
Copyright Microsoft Corp. 2006 Selecting VPN Authentication Protocol Option 1: MS-CHAP v2 Password-based authentication protocols. Used in absence of certificates or smart cards. Option 2: EAP-TLS (Certificates or Smart Cards) Designed for use with a certificate infrastructure and either certificates or smart cards. Strongest authentication method since it does not rely on passwords.
Copyright Microsoft Corp. 2006 Selecting VPN Authentication Method Option 1: Windows Authentication Advantage Existing infrastructure Option 2: Internet Authentication Service (IAS) Advantages Increased security Logging Apply policies Disadvantage Management is not scalable Disadvantage Increased management costs
Copyright Microsoft Corp. 2006 Site-to-Site VPN Design
Copyright Microsoft Corp. 2006 Selecting Site-to-Site VPN Devices Option 1: Hardware-based VPN Devices Advantages Dedicated solution Scalable solution Reliability Easy to install Option 2: Hardware-based VPN Device at Branch Office and Windows Server 2003 at Corporate Office and Windows Server 2003 at Corporate OfficeAdvantages Simple deployment Ease of installation Scalability & Management Disadvantages Proprietary software (may be) Vendor restrictions Additional licensing costs Disadvantages Support costs
Copyright Microsoft Corp. 2006 Selecting Site-to-Site VPN Devices Option 3: Windows Server 2003 to Connect Branch and Corporate Offices Corporate OfficesAdvantages Common platform Consolidation potential Proven technology Hardware reuse No additional costs Disadvantages Patch management VPN dependencies
Copyright Microsoft Corp. 2006 Selecting Site-to-Site VPN Communication Protocols Option 1: Layer Two Tunneling Protocol / Internet Protocol Security Protocol SecurityAdvantages Origin, integrity, replay, and confidentiality protection and confidentiality protection Strong authentication Option 2: Pure Internet Protocol Security Tunnel AdvantagesInteroperability Provides for gateway-to-gateway gateway-to-gateway tunneling tunneling Disadvantage Encryption Overhead Disadvantages May not support user-based authentication user-based authentication Potential vulnerabilities
Copyright Microsoft Corp. 2006 Other Design Challenges
Copyright Microsoft Corp. 2006 VPN Solution Consolidation Option 1: Dedicated Devices for Each Solution Advantages Limited impact on availability Independent management Appropriate cost allocation Option 2: Consolidate Solutions on Single Device or Cluster Advantages Cost savings Load balanced Disadvantage Higher Costs Disadvantage One service affects other
Copyright Microsoft Corp. 2006 Placement of VPN Devices Option 1: VPN Server in Front of the Firewall Advantages Separate VPN service Simple configuration No bandwidth restrictions Firewall security policy can be applied to clients be applied to clients Disadvantages VPN not protected by firewall Multiple connection logging
Copyright Microsoft Corp. 2006 Placement of VPN Devices (cont’d)… Option 2: VPN Server Behind the Firewall Advantages VPN can use firewall filtering and logging filtering and loggingVPN-specific IP address not required IP address not required VPN security Disadvantages Firewall rules Bandwidth limitations
Copyright Microsoft Corp. 2006 Placement of VPN Devices (cont’d)… Option 3: VPN Server and Firewall Side by Side on the Same Internet Segment. Same Internet Segment.Advantages Separate VPN service Simple configuration Independent management Firewall licensing Disadvantages Bandwidth limitations VPN not protected by firewall
Copyright Microsoft Corp. 2006 Placement of VPN Devices (cont’d)… Option 4: VPN Consolidated Firewall Design AdvantagesCost-effectiveManageable Disadvantages Potential service conflicts Delegation restrictions
Copyright Microsoft Corp. 2006 Availability Two ISPs should be used at sites to connect to Internet. At least two VPN servers should be used at sites. At least two VPN servers and two ISPs should be used at the branch office site if the availability requirement is high. All network devices, such as routers, switches, and firewalls, placed between two VPN endpoint servers should provide for redundancy.
Copyright Microsoft Corp. 2006 Security IPSec 168 ‑ bit Triple DES (3DES)MPPE 128 ‑ bit encryption Strongest IPSec 56 ‑ bit DESMPPE 56 ‑ bit data encryption Strong IPSec 56 ‑ bit DESMPPE 40 ‑ bit data encryption Basic No encryption required No Encryption L2TP Encryption RequiredPPTP Encryption Required Encryption Level Encryption Levels and Encryption Support RADIUS Accounting1813/UDP RADIUS Authentication1812/UDP NAT Transversal4500/UDP For ESP trafficIP Protocol 50 IPSec500/UDP PPTP1723/TCP GRE for PPTP47/TCP ProtocolServer Port Ports and Protocols Allowed Through the VPN Server
Copyright Microsoft Corp. 2006 Remote Access Services Design for Centralized Data Center