Virtual Private Network (VPN) © N. Ganesan, Ph.D. Chapter Objectives Chapter Modules.
Download ReportTranscript Virtual Private Network (VPN) © N. Ganesan, Ph.D. Chapter Objectives Chapter Modules.
Virtual Private Network (VPN) © N. Ganesan, Ph.D. Chapter Objectives Chapter Modules Primary Reference • VPN Overview by Microsoft VPN • A virtual private network that is established over, in general, the Internet • It is virtual because it exists as a virtual entity within a public network • It is private because it is confined to a set of private users Why is it a Virtual Private Network? • From the user’s perspective, it appears as a network consisting of dedicated network links • These links appear as if they are reserved for the VPN clientele • Because of encryption, the network appears to be private Example of a VPN VPN Major Characteristics • Must emulate a point-to-point link – Done by encapsulating the data that would facilitate allow it to travel the Internet to reach the end point • Must emulate a private link – Done by encrypting the data in the data packets Typical VPN Connection Tunnel and Connections • Tunnel – The portion of the network where the data is encapsulated • Connection – The portion of the network where the data is encrypted Application Areas • In general, provide users with connection to the corporate network regardless of their location • The alternative of using truly dedicated lines for a private network are expensive propositions Some Common Uses of VPN • Provide users with secured remote access over the Internet to corporate resources • Connect two computer networks securely over the Internet – Example: Connect a branch office network to the network in the head office • Secure part of a corporate network for security and confidentiality purpose Remote Access Over the Internet Connecting Two Computer Networks Securely Securing a Part of the Corporate Network Basic VPN Requirements • User Authentication • Address Management • Data Encryption • Key Management • Multi-protocol Support User Authentication • VPN must be able to verify user authentication and allow only authorized users to access the network Address Management • Assign addresses to clients and ensure that private addresses are kept private on the VPN Data Encryption • Encrypt and decrypt the data to ensure that others on the not have access to the data Key Management • Keys must be generated and refreshed for encryption at the server and the client • Note that keys are required for encryption Multi-protocol Support • The VPN technology must support commons protocols on the Internet such as IP, IPX etc. VPN Implementation Protocols • Point-to-Point Tunneling Protocol (PPTP) of Layer 2 Tunneling Protocol (L2TP) • IPSec More on Tunneling • Tunneling involves the encapsulation, transmission and decapsulation of data packets • The data is encapsulated with additional headers • The additional headers provide routing information for encapsulated data to be routed between the end points of a tunnel Tunneling Point-to-Point Tunneling Protocol (PPTP) • Encapsulate and encrypt the data to be sent over a corporate or public IP network Level 2 Tunneling Protocol • Encrypted and encapsulated to be sent over a communication links that support user datagram mode of transmission – Examples of links include X.25, Frame Relay and ATM IPSec Tunnel Mode • Encapsulate and encrypt in an IP header for transmission over an IP network Layer 2 Tunneling Protocols • PPTP • L2TP • Both encapsulate the payload in a PPP frame Layer 3 Tunneling Protocol • IPSec Tunneling Mode – Encapsulates the payload in an additional IP header PPP Format PPTP Format L2TP Format Windows Implementation of VPN • L2TP for tunneling • IPSec for encryption • Known as L2TP/IPSec Windows Implementation IPSec Tunnel Mode • Supports only IP networks Tunnel Types • Voluntary – VPN request is initiated by the client – The client remains the end point • Compulsory – VPN access server creates a compulsory tunnel for the client – In this case, the dial-up access server between the user’s computer and the tunnel server is the tunnel end point that acts as a client The Choice • Voluntary tunneling is used in most applications Other Important Protocols in VPN • Microsoft Point-to-Point Encryption (MPPE) • Extensible Authentication Protocol (EAP) • Remote Authentication Dial-in User Service (RADIUS) A Note on RADIUS Keys • Symmetric Keys • Asymmetric Keys Summary End of Module VPN Scenarios © N. Ganesan, Ph.D. Chapter Objectives Chapter Modules Reference Some Example Scenarios • VPN remote access for employees. • On-demand branch office access. • Persistent branch office access. • Extranet for business partners. • Dial-up and VPNs with RADIUS authentication VPN Remote Access for Employees VPN Remote Access for Employees Router-to-Router Branch Office Connection Branch Office Connection (Routerto-Router) VPN Based Extranet Dial-up and VPNS with RADIUS Authentication Module Configuring a VPN Environment Test Scenario Component Details • A computer running Windows Server 2003, Enterprise Edition, named DC1 that is acting as a domain controller, a Domain Name System (DNS) server, a Dynamic Host Configuration Protocol (DHCP) server, and a certification authority (CA). • A computer running Windows Server 2003, Standard Edition, named VPN1 that is acting as a VPN server. VPN1 has two network adapters installed. • A computer running Windows Server 2003, Standard Edition, named IAS1 that is acting as a Remote Authentication Dial-in User Service (RADIUS) server. Component Details Cont. • A computer running Windows Server 2003, Standard Edition, named IIS1 that is acting as a Web and file server. • A computer running Windows XP Professional named CLIENT1 that is acting as a VPN client. Private and Public Networks • Private – 172.16.0.0/24 • Simulated Public – 10.0.0.0/24 DC1 • DC1 is a computer running Windows Server 2003, Enterprise Edition that is providing the following services: – •A domain controller for the example.com Active Directory domain – .•A DNS server for the example.com DNS domain. – •A DHCP server for the intranet network segment – •The enterprise root certification authority (CA) for the example.com domain. Step 1: Configuring DC1 • The first step is to configure the following – – – – Active Directory DNS DHCP CA Step 2: Configure IAS1 • Install Windows Server – Provides RADIUS authentication, authorization, and accounting for VPN1 • Register server in active directory • Configure new remote access policies • Specify authentication method and encryption level Step 3: Configure IIS1 • Configure this as a web server for web access as well as file sharing Step 4: Configure VPN1 • Install VPN1 as a member server in the domain • Configure TCP/IP for the Intranet and Internet sides • Configure and enable routing and remote access • Setup the server to work with a RADIUS server • Setup the DHCP relay agent parameters Step 5: Configure Client1 • CLIENT1 is a computer running Windows XP Professional that is acting as a VPN client and gaining remote access to intranet resources across the simulated Internet. To configure CLIENT1 as a VPN client for a PPTP connection, perform the following steps: • 1.Connect CLIENT1 to the intranet network segment. • 2.On CLIENT1, install Windows XP Professional as a member computer named CLIENT1 of the example.com domain. • 3.Add the VPNUser account in the example.com domain to the local Administrators group. • 4.Log off and then log on using the VPNUser account in the example.com domain. • 5.From Control Panel-Network Connections, obtain properties on the Local Area Network connection, and then obtain properties on the Internet Protocol (TCP/IP). • 6.Click the Alternate Configuration tab, and then click User configured. • 7.In IP address, type 10.0.0.1. In Subnet mask, type 255.255.255.0. This is shown in the following figure. • 8.Click OK to save changes to the Internet Protocol (TCP/IP). Click OK to save changes to the Local Area Network connection. • 9.Shut down the CLIENT1 computer. • 10.Disconnect the CLIENT1 computer from the intranet network segment, and connect it to the simulated Internet network segment. • 11.Restart the CLIENT1 computer and log on using the VPNUser account. • 12.On CLIENT1, open the Network Connections folder from Control Panel. • 13.In Network Tasks, click Create a new connection. • 14.On the Welcome to the New Connection Wizard page of the New Connection Wizard, click Next. • 15.On the Network Connection Type page, click Connect to the network at my workplace. This is shown in the following figure. • 19.Click Next. On the Connection Availability page, click Next. • 20.On the Completing the New Connection Wizard page, click Finish. The Connect PPTPtoCorpnet dialog box is displayed. This is shown in the following figure. • 21.Click Properties, and then click the Networking tab. • 22.On the Networking tab, in Type of VPN, click PPTP VPN. This is shown in the following figure • 23.Click OK to save changes to the PPTPtoCorpnet connection. The Connect PPTPtoCorpnet dialog box is displayed. • 24.In User name, type example/VPNUser. In Password, type the password you chose for the VPNUser account. This is shown in the following figure. • 25.Click Connect. • 26.When the connection is complete, run Internet Explorer. • 27.If prompted by the Internet Connection Wizard, configure it for a LAN connection. In Address, type http://IIS1.example.com/winxp.gif. You should see a Windows XP graphic. • 28.Click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the Local Drive (C:) on IIS1. • 29.Right-click the PPTPtoCorpnet connection, and then click Disconnect. End of Chapter