In this section, we'll cover one of the foundations of network security issues, It talks about VPN (Virtual Private Networks). What..,Why..,and How….? It is hence vital for businesses with connections to the internet to ensure that their networks are secure. This is important to minimise the risk of intrusions both from insiders and outsiders. Although a network cannot be 100% safe, a secure network will keep everyone but the most determined hacker out of the network. A network with a good accounting and auditing system will ensure that all activities are logged thereby enabling malicious activity to be detected. Network security is a complicated subject, historically only tackled by well-trained and experienced experts. However, as more and more people become ``wired'', an increasing number of people need to understand the basics of security in a networked world A basic understanding of computer networks is requisite in order to understand the principles of network security. Information on the internet can be accessed from anywhere in the world in real time.While this is good for the spread of information, it has also allowed for the proliferation of ‘malicious information’. Hacker tools are now widely available on the internet. Some web sites even provides tutorials on how to hack into a system, giving details of the vulnerabilities of the different kinds of systems. Anyone with malicious intentions can search the internet for programs to break into a system which is not properly secured. HOME
Apa itu VPN? A VPN is a private connection over an open network A VPN includes authentication and encryption to protect data integrity and confidentiality VPN Internet Campus ITP1 Campus ITP2 HOME
VPN: Encapsulation HOME
Remote Access VPN Provides access to internal Campus network over the Internet Reduces long distance, modem bank, and technical support costs Internet Campus ITP1 Admin’s House
Remote Access VPN Site-to-Site VPN Connects multiple offices over Internet Reduces dependencies on frame relay and leased lines Internet Branch Office Corporate Site HOME
-7- Remote Access VPN Site-to-Site VPN Extranet VPN Provides business partners access to critical information (sales tools) Reduces transaction and operational costs Corporate Site Internet Partner #1 Partner #2 HOME
Remote Access VPN Site-to-Site VPN Extranet VPN Client/Server VPN Protects sensitive internal communications Most attacks originate within an organization LAN clients Database Server LAN clients with sensitive data HOME
More flexibility Leverage ISP point of presence Use multiple connection types (cable, DSL, T1, T3) Easy to add/remove users Mobility Security HOME
More flexibility More scalability Add new sites, users quickly Scale bandwidth to meet demand HOME
More flexibility More scalability Lower costs Reduced frame relay/leased line costs Cost Effective Reduced long distance Reduced equipment costs (modem banks,CSU/DSUs) Reduced technical support HOME
5 branch offices, 1 large corporate office, 200 remote access users. Payback: 1.04 months. Annual Savings: 88% Check Point VPN-1 Solution Non-VPN Solution Savings with Check Point Startup Costs (Hardware and Software) $51,965 Existing; sunk costs = $0 Site-to-Site Annual Cost $30,485$71,664 Frame relay $41,180 /yr RAS Annual Cost $48,000$604,800 Dial-in costs $556,800 /yr Combined Annual Cost $78,485$676,464 $597,980 /yr Case History – Professional Services Company HOME
Encryption Message authentication Entity authentication Key management HOME
Layer 2 remote access VPN distributed with Windows product family Addition to Point-to-Point Protocol (PPP) Allows multiple Layer 3 Protocols Uses proprietary authentication and ancryption Limited user management and scalability Known security vulnerabilities Internet Remote PPTP Client ISP Remote Access Switch PPTP RAS Server Corporate Network HOME
Layer 2 remote access VPN protocol Combines and extends PPTP and L2F (Cisco supported protocol) Weak authentication and encryption Does not include packet authentication, data integrity, or key management Must be combined with IPSec for enterprise-level security Internet Remote L2TP Client ISP L2TP Concentrator L2TP Server Corporate Network HOME
Layer 3 protocol for remote access, intranet, and extranet VPNs Internet standard for VPNs Provides flexible encryption and message authentication/integrity Includes key management HOME
Encryption Message Authentication Entity Authentication Key Management DES, 3DES, and more HMAC-MD5, HMAC-SHA- 1, or others Digital Certificates, Shared Secrets,Hybrid Mode IKE Internet Key Exchange (IKE), Public Key Infrastructure (PKI) All managed by security associations (SAs) HOME
-18- A mechanism for distributing keys either manually or automatically Includes: Key generation Certification Distribution Revocation HOME
-19- VPN device is vulnerable to attack eg. denial of service Two connections to the firewall for every communication request Bypasses security policy Denial of service VPN Internet Firewall Internet VPN Firewall Internet VPN Firewall Internet HOME
VPN device is vulnerable to attack eg. denial of service Two connections to the firewall for every communication request Bypasses security policy Denial of service VPN Internet Firewall Internet VPN Firewall Internet VPN Firewall Internet Only integrated VPN/firewall solutions can deliver full access control and consistent security policy enforcement HOME
The Problem: Remote access VPN clients can be “hijacked” Allows attackers into internal network The Solution: Centrally managed personal firewall on VPN clients Internet Attacker Cable or xDSL HOME
Click on Start – select Network Connections HOME
In Network Connections on the left hand side there is a link to “Create New Connection” – click on this and a wizard will pop up assisting the user HOME
Select “Connect to the Network at my Workplace” HOME
Select “Virtual Private Network Connection” HOME
Make a name for this connection that you are establishing – to distinguish this connection from other VPN connections that might already be established HOME
For this demonstration we are trying to connect to my wireless router off campus therefore the IP address that we insert is the IP address for my router which we can find out by running an ipconfig and it is the IP address for your default gateway NOTE: Not all routers will allow users to VPN into it HOME
Personal preference as to whether or not you want other users to be able to use this VPN connection on this computer HOME
In Start – Run insert the IP address of the computer that you want to access that is connected to the router HOME
Using the same username and password already established for the router you can connect to this specific computer HOME
These are only the files that are “shared” on this computer HOME
Virtual Private Networks have become mission-critical applications IPSec is the leading protocol for creating enterprise VPNs Provides encryption, authentication, and data integrity Organizations should look for: Integrated firewalls and VPNs Centralized management of VPN client security A method to provide VPN QoS HOME