Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Published byErick Glenn Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices."— Presentation transcript:

1 Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices

2 Copyright Microsoft Corp. 2006 Design Goals: Client Remote Access Transmitted data is encrypted between endpoints. Intercepted data on Internet should be unreadable. Information altered or spoofed by hacker is rejected. Client and server can verify each other’s identity. Client and server connection cannot be hijacked. Remote access services availability. Services can be managed with existing infrastructure tools and technologies. Open, non-proprietary standards are built into design.

3 Copyright Microsoft Corp. 2006 Design Goals: Site-to-Site VPNs Transmitted data is encrypted between endpoints. Intercepted data on Internet should be unreadable. Information altered or spoofed by hacker is rejected. Site-to-Site end points can verify each other’s identity. Site-to-Site connection cannot be hijacked. Remote access services availability. Routes are available across the entire network, LAN, and VPN from all endpoints. Services can be managed with existing infrastructure tools and technologies.

4 Copyright Microsoft Corp. 2006 Design Options for Remote Access Remote Client Access Option 1: Dial-up Remote Access Option 2: VPN Remote Access Site-to-Site Access Option 1: Dial-up Remote Access Option 2: Fixed Links Option 3: VPN Site-to-Site Access

5 Copyright Microsoft Corp. 2006 VPN Technologies

6 Copyright Microsoft Corp. 2006 What Is a Virtual Private Network? Flexible and cost-effective mesh topology Reduced hardware and maintenance costs Reduced client-to-site connection costs Reduced site-to-site connection costs High-speed access to enterprise resources Flexible, secure communication channels Rapid connection of new sites at a lower cost Centralized authentication services

7 Copyright Microsoft Corp. 2006 VPN Technologies Option 1: Server-based VPNs Advantages Capitalize on current investments Standard Windows tools Option 2: Hardware-based VPNs Advantages High network throughput Secure remote administration Highly configurable Option 3: Third-party Managed VPN Services Advantages Low cost Outsourced installation and support Availability Disadvantages Patch management requirement Consolidation risk to VPN server DisadvantagesExpensive Proprietary client software Requirement of specialized skills Disadvantages Loss of control Loss of flexibility

8 Copyright Microsoft Corp. 2006 VPN Design Process Devices Hardware-based VPN device Windows Server 2003 Communication protocol PPTP (Point to Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) Authentication protocol MS-CHAP v2 Extensible authentication protocol and transport layer protocol End-to-end encryption level StrongStrongest

9 Copyright Microsoft Corp. 2006 Other Design Challenges VPN solution consolidation Dedicated devices for each solution Consolidate on a single device or on a cluster Placement of VPN devices In front of the firewall Behind the firewall Next to the firewall VPN consolidated firewall Load balancing the solution Round-robin DNS Hardware-based load balancing Software-based load balancing

10 Copyright Microsoft Corp. 2006 Client Remote Access Design

11 Copyright Microsoft Corp. 2006 Selecting VPN Devices Option 1: Hardware-based VPN Device Advantages Dedicated solution Scalable solution Reliability Option 2: Windows Server 2003 Server Advantages Common platform Consolidation potential Proven technology Disadvantages Proprietary software (may be) Higher cost Support overhead Disadvantages Patch management VPN dependencies

12 Copyright Microsoft Corp. 2006 Selecting VPN Protocols Option 1: Point to Point Tunneling Protocol (PPTP) Advantages Client support Firewall support Provides data confidentiality Low encryption overhead Option 2: Layer 2 Tunneling Protocol (L2TP) Advantages Origin, integrity, replay, and confidentiality protection and confidentiality protection Strong authentication Windows client support Disadvantages No data integrity check Requires MS-CHAP v2 Disadvantages Encryption overhead Requires certificate infrastructure or infrastructure or pre-shared key pre-shared key

13 Copyright Microsoft Corp. 2006 Selecting VPN Authentication Protocol Option 1: MS-CHAP v2 Password-based authentication protocols. Used in absence of certificates or smart cards. Option 2: EAP-TLS (Certificates or Smart Cards) Designed for use with a certificate infrastructure and either certificates or smart cards. Strongest authentication method since it does not rely on passwords.

14 Copyright Microsoft Corp. 2006 Selecting VPN Authentication Method Option 1: Windows Authentication Advantage Existing infrastructure Option 2: Internet Authentication Service (IAS) Advantages Increased security Logging Apply policies Disadvantage Management is not scalable Disadvantage Increased management costs

15 Copyright Microsoft Corp. 2006 Site-to-Site VPN Design

16 Copyright Microsoft Corp. 2006 Selecting Site-to-Site VPN Devices Option 1: Hardware-based VPN Devices Advantages Dedicated solution Scalable solution Reliability Easy to install Option 2: Hardware-based VPN Device at Branch Office and Windows Server 2003 at Corporate Office and Windows Server 2003 at Corporate OfficeAdvantages Simple deployment Ease of installation Scalability & Management Disadvantages Proprietary software (may be) Vendor restrictions Additional licensing costs Disadvantages Support costs

17 Copyright Microsoft Corp. 2006 Selecting Site-to-Site VPN Devices Option 3: Windows Server 2003 to Connect Branch and Corporate Offices Corporate OfficesAdvantages Common platform Consolidation potential Proven technology Hardware reuse No additional costs Disadvantages Patch management VPN dependencies

18 Copyright Microsoft Corp. 2006 Selecting Site-to-Site VPN Communication Protocols Option 1: Layer Two Tunneling Protocol / Internet Protocol Security Protocol SecurityAdvantages Origin, integrity, replay, and confidentiality protection and confidentiality protection Strong authentication Option 2: Pure Internet Protocol Security Tunnel AdvantagesInteroperability Provides for gateway-to-gateway gateway-to-gateway tunneling tunneling Disadvantage Encryption Overhead Disadvantages May not support user-based authentication user-based authentication Potential vulnerabilities

19 Copyright Microsoft Corp. 2006 Site-to-Site Authentication Protocols Option 1: Certificate-based Authentication Advantages Devices uniquely certified Flexible deployment Option 2: Internet Protocol Security with Shared Secret AdvantageStandards-based interoperability interoperability Disadvantage Maintenance Overhead Disadvantages Shared secret vulnerability Password update overhead Weak authentication

20 Copyright Microsoft Corp. 2006 Other Design Challenges

21 Copyright Microsoft Corp. 2006 VPN Solution Consolidation Option 1: Dedicated Devices for Each Solution Advantages Limited impact on availability Independent management Appropriate cost allocation Option 2: Consolidate Solutions on Single Device or Cluster Advantages Cost savings Load balanced Disadvantage Higher Costs Disadvantage One service affects other

22 Copyright Microsoft Corp. 2006 Placement of VPN Devices Option 1: VPN Server in Front of the Firewall Advantages Separate VPN service Simple configuration No bandwidth restrictions Firewall security policy can be applied to clients be applied to clients Disadvantages VPN not protected by firewall Multiple connection logging

23 Copyright Microsoft Corp. 2006 Placement of VPN Devices (cont’d)… Option 2: VPN Server Behind the Firewall Advantages VPN can use firewall filtering and logging filtering and loggingVPN-specific IP address not required IP address not required VPN security Disadvantages Firewall rules Bandwidth limitations

24 Copyright Microsoft Corp. 2006 Placement of VPN Devices (cont’d)… Option 3: VPN Server and Firewall Side by Side on the Same Internet Segment. Same Internet Segment.Advantages Separate VPN service Simple configuration Independent management Firewall licensing Disadvantages Bandwidth limitations VPN not protected by firewall

25 Copyright Microsoft Corp. 2006 Placement of VPN Devices (cont’d)… Option 4: VPN Consolidated Firewall Design AdvantagesCost-effectiveManageable Disadvantages Potential service conflicts Delegation restrictions

26 Copyright Microsoft Corp. 2006 Best Practices

27 Copyright Microsoft Corp. 2006 Availability Two ISPs should be used at sites to connect to Internet. At least two VPN servers should be used at sites. At least two VPN servers and two ISPs should be used at the branch office site if the availability requirement is high. All network devices, such as routers, switches, and firewalls, placed between two VPN endpoint servers should provide for redundancy.

28 Copyright Microsoft Corp. 2006 Security IPSec 168 ‑ bit Triple DES (3DES)MPPE 128 ‑ bit encryption Strongest IPSec 56 ‑ bit DESMPPE 56 ‑ bit data encryption Strong IPSec 56 ‑ bit DESMPPE 40 ‑ bit data encryption Basic No encryption required No Encryption L2TP Encryption RequiredPPTP Encryption Required Encryption Level Encryption Levels and Encryption Support RADIUS Accounting1813/UDP RADIUS Authentication1812/UDP NAT Transversal4500/UDP For ESP trafficIP Protocol 50 IPSec500/UDP PPTP1723/TCP GRE for PPTP47/TCP ProtocolServer Port Ports and Protocols Allowed Through the VPN Server

29 Copyright Microsoft Corp. 2006 Remote Access Services Design for Centralized Data Center

30 Copyright Microsoft Corp. 2006

31

32

33 Remote Access Services Design for Satellite Branch Office

34 Copyright Microsoft Corp. 2006

35

36

37 Questions ?

38 Copyright Microsoft Corp. 2006 © 2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Intel / Shiva VPN Solutions Stephen Wong System Engineer.

1 Intel / Shiva VPN Solutions Stephen Wong System Engineer.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.

Module 10: Configuring Virtual Private Network Access for Remote Clients and Networks.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?

In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….?
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Virtual Private Networking Karlene R. Samuels COSC513.

Virtual Private Networking Karlene R. Samuels COSC513.
Internet Security Seminar Class CS591 Presentation Topic: VPN.

Internet Security Seminar Class CS591 Presentation Topic: VPN.

Similar presentations

Ads by Google