Transcript Guide to Firewalls and Network Security with Intrusion

Setting Up a Virtual Private
Network
Chapter 9
Learning Objectives
Understand the components and essential
operations of virtual private networks (VPNs)
Describe the different types of VPNs
Create VPN setups such as mesh or hub-andspoke configurations
Choose the right tunneling protocol for your VPN
Enable secure remote access for individual users
via a VPN
Observe best practices for configuring and
maintaining VPNs effectively
VPNs
Goal: Provide a cost-effective and secure way to
connect businesses to one another and remote
workers to office networks
Encapsulate and encrypt data being transmitted
Use authentication to ensure that only approved
users can access the VPN
Provide a means of secure point-to-point
communications over the public Internet
VPN Components and
Operations
Essential components that make up a VPN
How VPNs enable data to be accessed
securely
Advantages and disadvantages of using
VPNs compared to leased lines
How VPNs extend network boundaries
Components within VPNS
Hardware devices


Can have two endpoints or terminators
Can have a (virtual) tunnel
Software that performs security-related
activities
Devices That Form the Endpoints
of the VPN
Server running on a tunneling protocol
VPN appliance
A firewall/VPN combination
A router-based VPN
Essential Activities of VPNs
IP encapsulation
Data payload encryption
Encrypted authentication
IP Encapsulation
Provides a high degree of protection
VPN encapsulates actual data packets within
packets that use source and destination addresses
of VPN gateway

Source and destination information of actual data
packets are completely hidden
Because a VPN tunnel is used, source and
destination IP addresses of actual data packets can
be in private reserved blocks not usually routable
over the Internet
Data Payload Encryption
Transport method
Tunnel method
Encrypted Authentication
Hosts are authenticated by exchanging long
blocks of code (keys) that are generated by
complex formulas (algorithms)
Types of keys that can be exchanged


Symmetric keys
Asymmetric keys
Advantages and Disadvantages
of VPNs
VPNs Extend a Network’s
Boundaries
To deal with the increased risk caused by
VPN connections



Use two or more authentication tools to identify
remote users
Integrate virus protection
Set usage limits
Types of VPNs
Site-to-site VPN

Links two or more networks
Client-to-site VPN

Makes a network accessible to remote users
who need dial-in access
VPN Appliances
Hardware devices specially designed to terminate
VPNs and join multiple LANs
Permit connections, but do not provide other
services (eg, file sharing, printing)
Enable connections of more tunnels and users than
software systems
Examples


SonicWALL series
Symantec Firewall/VPN appliance
Advantage of Using Hardware
Systems
Software VPN Systems
Generally less expensive than hardware
systems
Tend to scale better for fast-growing
networks
Examples



F-Secure VPN+
Novell BorderManager VPN services
Check Point FireWall-1
VPN Combinations of Hardware
and Software
Cisco 3000 Series VPN Concentrator

Gives users the choice of operating in:
 Client mode, or
 Network extension mode
VPN Combinations of Different
Vendors’ Products
Challenge: Get all pieces to talk to and
communicate with one another successfully
Pick a standard security protocol that is
widely used and that all devices support
(eg, IPSec)
VPN Setups
If two participants

Configuration is relatively straightforward in
terms of expense, technical difficulty, and time
If three or more, several options



Mesh configuration
Hub-and-spoke arrangement
Hybrid setup
Mesh Configuration
Connects multiple computers that each have
a security association (SA) with all other
machines in the VPN
Hub-and-Spoke Configuration
A single VPN router maintains records of
all SAs
Any device that wishes to participate in the
VPN need only connect to the central router
Easy to increase size of the VPN
The requirement that all communications
flow into and out of the central router slows
down communications
Hybrid Configuration
Benefits from the strengths of each—
scalability of hub-and-spoke option and
speed of mesh option
Use mesh for most important branches of
the network and critical communications
Use hub-and-spoke for overseas branches
and for new new branch offices
Configurations and Extranet and
Intranet Access
Extranet

Enable firewalls and anti-virus software for
each remote user or business partner
Intranet


Establish usage limits
Set up anti-virus and firewall protection
Configurations and Extranet and
Intranet Access
Tunneling Protocols Used with
VPNs
IPSec/IKE
PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)
PPP over SSL (Point-to-Point Protocol over
Secure Sockets Layer)
PPP over SSH (Point-to-Point Protocol over
Secure Shell)
IPSec/IKE
IPSec provides:





Encryption of the data part of packets
Authentication
Encapsulation between two VPN hosts
Two security methods (AH and ESP)
Capability to work in two modes (transport and tunnel)
IKE provides:


Exchange of public and private keys
Ability to determine which encryption protocols should
be used to encrypt data that flows through VPN tunnel
PPTP
Developed by Microsoft for granting VPN access
to remote users over dial-up connections
Uses Microsoft Point-to-Point Encryption (MPPE)
to encrypt data
Useful if support for older clients is needed
Compatible with Network Address Translation
(NAT)
Replaced by L2TP
L2TP
Extension to PPP that enables dial-up users
to establish a VPN connection to a remote
access server
Uses IPSec to encrypt data
Incompatible with NAT but provides a
higher level of encryption and
authentication
PPP Over SSL and
PPP Over SSH
Two UNIX based methods for creating VPNs
Both combine existing tunnel system (PPP) with a
way of encrypting data in transport (SSL or SSH)

SSL
 Public key encryption system used to provide secure
communications over the Web

SSH
 UNIX secure shell that uses secret key encryption (pre-shared
key) to authenticate participants
When to Use Different VPN
Protocols
Enabling Remote Access
Connections within VPNs
Issue the user VPN client software
Make sure user’s computer is equipped with
anti-virus software and a firewall
May need to obtain a key for the remote
user if you plan to use IPSec to make VPN
connection as well
Configuring the Server
Major operating systems include ways of
providing secure remote access

Linux
 IP Masquerade feature

Windows XP and 2000
 Network Connections Wizard
Configuring the Server
Configuring the Server
Configuring Clients
Involves either installing and configuring
VPN client software or using the Network
Connection Wizard
Client workstation must be protected by a
firewall
VPN Best Practices
Security policy rules that specifically apply
to the VPN
Integration of firewall packet filtering with
VPN traffic
Auditing the VPN to make sure it is
performing acceptably
The Need for a VPN Policy
Identify who can use the VPN
Ensure that all users know what constitutes
proper use of the VPN




Whether and how authentication is to be used
Whether split tunneling is permitted
How long users can be connected at any one
session
Whether virus protection is included
Packet Filtering and VPNs
Encryption and decryption of data can be
performed either outside the packet-filtering
perimeter or inside it
PPTP Filter Rules
L2TP and IPSec
Packet-Filtering Rules
Auditing and Testing the VPN
Time consuming
Choose client software that is easy for end
users to install on their own to save you
time and effort
Chapter Summary
Configuration and operations of VPNs