Setting Up a Virtual Private Network Chapter 9

Learning Objectives Understand the components and essential operations of virtual private networks (VPNs) Describe the different types of VPNs Create VPN setups such as mesh or hub-and- spoke configurations Choose the right tunneling protocol for your VPN Enable secure remote access for individual users via a VPN Observe best practices for configuring and maintaining VPNs effectively

VPNs Goal: Provide a cost-effective and secure way to connect businesses to one another and remote workers to office networks Encapsulate and encrypt data being transmitted Use authentication to ensure that only approved users can access the VPN Provide a means of secure point-to-point communications over the public Internet

VPN Components and Operations Essential components that make up a VPN How VPNs enable data to be accessed securely Advantages and disadvantages of using VPNs compared to leased lines How VPNs extend network boundaries

Components within VPNS Hardware devices Can have two endpoints or terminators Can have a (virtual) tunnel Software that performs security-related activities

Devices That Form the Endpoints of the VPN Server running on a tunneling protocol VPN appliance A firewall/VPN combination A router-based VPN

Essential Activities of VPNs IP encapsulation Data payload encryption Encrypted authentication

IP Encapsulation Provides a high degree of protection VPN encapsulates actual data packets within packets that use source and destination addresses of VPN gateway Source and destination information of actual data packets are completely hidden Because a VPN tunnel is used, source and destination IP addresses of actual data packets can be in private reserved blocks not usually routable over the Internet

Data Payload Encryption Transport method Tunnel method

Encrypted Authentication Hosts are authenticated by exchanging long blocks of code (keys) that are generated by complex formulas (algorithms) Types of keys that can be exchanged Symmetric keys Asymmetric keys

Advantages and Disadvantages of VPNs

VPNs Extend a Network’s Boundaries To deal with the increased risk caused by VPN connections Use two or more authentication tools to identify remote users Integrate virus protection Set usage limits

Types of VPNs Site-to-site VPN Links two or more networks Client-to-site VPN Makes a network accessible to remote users who need dial-in access

VPN Appliances Hardware devices specially designed to terminate VPNs and join multiple LANs Permit connections, but do not provide other services (eg, file sharing, printing) Enable connections of more tunnels and users than software systems Examples SonicWALL series Symantec Firewall/VPN appliance

Advantage of Using Hardware Systems

Software VPN Systems Generally less expensive than hardware systems Tend to scale better for fast-growing networks Examples F-Secure VPN+ Novell BorderManager VPN services Check Point FireWall-1

VPN Combinations of Hardware and Software Cisco 3000 Series VPN Concentrator Gives users the choice of operating in:  Client mode, or  Network extension mode

VPN Combinations of Different Vendors’ Products Challenge: Get all pieces to talk to and communicate with one another successfully Pick a standard security protocol that is widely used and that all devices support (eg, IPSec)

VPN Setups If two participants Configuration is relatively straightforward in terms of expense, technical difficulty, and time If three or more, several options Mesh configuration Hub-and-spoke arrangement Hybrid setup

Mesh Configuration Connects multiple computers that each have a security association (SA) with all other machines in the VPN

Hub-and-Spoke Configuration A single VPN router maintains records of all SAs Any device that wishes to participate in the VPN need only connect to the central router Easy to increase size of the VPN The requirement that all communications flow into and out of the central router slows down communications

Hybrid Configuration Benefits from the strengths of each— scalability of hub-and-spoke option and speed of mesh option Use mesh for most important branches of the network and critical communications Use hub-and-spoke for overseas branches and for new new branch offices

Configurations and Extranet and Intranet Access Extranet Enable firewalls and anti-virus software for each remote user or business partner Intranet Establish usage limits Set up anti-virus and firewall protection

Configurations and Extranet and Intranet Access

Tunneling Protocols Used with VPNs IPSec/IKE PPTP (Point-to-Point Tunneling Protocol) L2TP (Layer 2 Tunneling Protocol) PPP over SSL (Point-to-Point Protocol over Secure Sockets Layer) PPP over SSH (Point-to-Point Protocol over Secure Shell)

IPSec/IKE IPSec provides: Encryption of the data part of packets Authentication Encapsulation between two VPN hosts Two security methods (AH and ESP) Capability to work in two modes (transport and tunnel) IKE provides: Exchange of public and private keys Ability to determine which encryption protocols should be used to encrypt data that flows through VPN tunnel

PPTP Developed by Microsoft for granting VPN access to remote users over dial-up connections Uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data Useful if support for older clients is needed Compatible with Network Address Translation (NAT) Replaced by L2TP

L2TP Extension to PPP that enables dial-up users to establish a VPN connection to a remote access server Uses IPSec to encrypt data Incompatible with NAT but provides a higher level of encryption and authentication

PPP Over SSL and PPP Over SSH Two UNIX based methods for creating VPNs Both combine existing tunnel system (PPP) with a way of encrypting data in transport (SSL or SSH) SSL  Public key encryption system used to provide secure communications over the Web SSH  UNIX secure shell that uses secret key encryption (pre-shared key) to authenticate participants

When to Use Different VPN Protocols

Enabling Remote Access Connections within VPNs Issue the user VPN client software Make sure user’s computer is equipped with anti-virus software and a firewall May need to obtain a key for the remote user if you plan to use IPSec to make VPN connection as well

Configuring the Server Major operating systems include ways of providing secure remote access Linux  IP Masquerade feature Windows XP and 2000  Network Connections Wizard

Configuring the Server

Configuring Clients Involves either installing and configuring VPN client software or using the Network Connection Wizard Client workstation must be protected by a firewall

VPN Best Practices Security policy rules that specifically apply to the VPN Integration of firewall packet filtering with VPN traffic Auditing the VPN to make sure it is performing acceptably

The Need for a VPN Policy Identify who can use the VPN Ensure that all users know what constitutes proper use of the VPN Whether and how authentication is to be used Whether split tunneling is permitted How long users can be connected at any one session Whether virus protection is included

Packet Filtering and VPNs Encryption and decryption of data can be performed either outside the packet-filtering perimeter or inside it

PPTP Filter Rules

L2TP and IPSec Packet-Filtering Rules

Auditing and Testing the VPN Time consuming Choose client software that is easy for end users to install on their own to save you time and effort

Chapter Summary Configuration and operations of VPNs