VPN Client-to-Lan e Lan-to-Lan con Windows Small Business Server 2003 installazione, configurazione, sicurezza Alessandro Appiani Consultant Microsoft Certified Partner

Agenda VPN Basics La protezione delle comunicazioni di rete Encryption overview VPN a confronto Client-to-LAN LAN-to-LAN VPN in dettaglio tunneling protocol authentication encryption Le tecnologie di Windows Small Business Server 2003 per VPN Client-to-LAN e LAN-to-LAN

Che cosa è una VPN ? Dal sito di Windows Server 2003 Microsoft defines a virtual private network as the extension of a private network that encompasses links across shared or public networks like the Internet. verview/vpnfaq.mspx verview/vpnfaq.mspx

Quali problemi abbiamo con una comunicazione di rete che usa connettività pubblica come Internet? Network Monitoring Data Modification Identity Spoofing Man-in- the-Middle Password- based Password- based

Encrypts Data at the Application Layer SSL TLS Encrypts Data at the Network Layer Tunneling Protocol IPSec La soluzione: la cifratura dei dati trasmessi Encrypted IP Packet

Virtual Private Networks (VPN) una applicazione delle tecnologie di encryption

VPN Basics Una tecnologia di encryption Un metodo/protocollo di Tunneling Una modalità di connessione e trasporto (Client-to-LAN, LAN-to-LAN) Un insieme di definizioni per IP Addressing Authentication Authorization Auditing

Crittografia Encryption Keys & Algorithms Symmetric Encryption Public Key Encryption (Asymmetric) Encryption Algorithm

Encryption Keys Key typeDescription Symmetric La stessa chiave è usata per cifrare e decifrare i dati Protegge i dati dallintercettazione Asymmetric Consiste in una chiave pubblica e una privata La chiave privata è protetta e confidenziale, la chiave pubblica è liberamente distribuibile Se viene usata la chiave privata per cifrare dei dati, gli stessi possono essere decifrati esclusivamente con la corrispondente chiave pubblica, e vice versa

How Does Symmetric Encryption Work? Original Data Cipher Text Original Data Symmetric encryption: Usa la stessa chiave per cifrare e decifrare E spesso referenziata come bulk encryption E intrinsicamente vulnerabile per il concetto di Shared secret: la chiave è condivisa Usa la stessa chiave per cifrare e decifrare E spesso referenziata come bulk encryption E intrinsicamente vulnerabile per il concetto di Shared secret: la chiave è condivisa

Using Symmetric Key Encryption Encrypting Application Data EFS S/MIME Encrypting Communication Protocols IPSec TLS Shared Secret Key Encryption by User1 Encryption Algorithm Shared Secret Key Decryption by User2 Decryption Algorithm

How Does Public Key Encryption Work? RequirementProcess 1.The recipients public key is retrieved 2.The data is encrypted with a symmetric key 3.The symmetric key is encrypted with the recipients public key 4.The encrypted symmetric key and encrypted data are sent to the recipient 5.The recipient decrypts the symmetric key with her private key 6.The data is decrypted with the symmetric key

Public Key Encryption Encrypted Message is Sent Over Network 22 3A78 Alice Encrypts Message with Bobs Public Key. 11 Data 3A78 Bob Decrypts Message with Bobs Private Key. 33 Data

Public Key Authentication Message is Sent Over Network 22 ~*~*~*~ Alice Signs Message with Her Private Key. 11 ~*~*~*~ ~*~*~*~ Bob Validates Message is From Alice with Alices Public Key. 33

Dalla teoria alla pratica...

Application-Layer Planning Protocols for Application-Layer Security Planning Secure File Transmissions Planning Secure Communications for Web Applications Planning Security for Applications Requires That Applications Support the Encryption Application SSL/TLS TCP/UDPTCP/UDP IP/IPSecIP/IPSec Link Layer Physical Layer

Network-Layer: Virtual Private Network ( VPN ) Is Transparent to ApplicationsApplicationApplicationSSL/TLSSSL/TLS TCP/UDPTCP/UDP IP/IPSec Link Layer Physical Layer

VPN Client-to-LAN: Connecting Remote Users to a Corporate Network VPN Tunnel VPN Server Computer Remote User Internet Corporate Network

VPN LAN-to-LAN: Connecting Remote Networks to a Local Network VPN Tunnel VPN Server Computer Remote Network Internet Local Network VPN Server Computer

VPN a confronto LAN-to-LAN prevede lutilizzo di apparati/server che gestiscono la comunicazione vpn e fanno da gateway tra le due reti encryption applicata solo nelle comunicazioni tra i gateway (tunnel- endpoint) encryption simmetrica di tipo Shared-Key IP Addressing progettare Client-to-LAN è una tipica connessione uno (gateway/Access Point) a molti (Client) encryption applicata nelle comunicazioni tra il gateway ed N client encryption di tipo Shared-Key non adeguata (distribuzione della chiave in N posti!) può usare protocolli PPP-based (PPTP, L2TP) per usare IPsec richiede tecniche di Asymmetric encryption (PKI, certificati,...) IP Addressing semplice ed integrato

Virtual Private Network Protocols Client Server PPTP* Internetwork Must Be IP Based No Header Compression No Tunnel Authentication Built-in PPP Encryption L2TP** Internetwork Can Be IP, Frame Relay, X.25, or ATM Based Header Compression Tunnel Authentication Uses IPSec Encryption Internet PPTP or L2TP *PPTP: rfc **L2TP: rfc 2661

Selecting a Tunneling Protocol FeaturesFeatures Tunneling Protocol L2TP/IPSec PPTPIPSecTunnel Mode Support for NAT X User Authentication XX Machine Authentication XX Multi-Protocol Support XXX Stronger Security XX Support for Non–Windows 2000–based Clients X

Authentication Protocols Standard Authentication Protocols Extensible Authentication Protocols

Standard Authentication Protocols ProtocolProtocolSecuritySecurity PAP Low SPAP Medium CHAP High MS-CHAP High Use when The client and server cannot negotiate using more secure validation Connecting a Shiva LANRover and Windows 2000–based client or a Shiva client and a Windows 2000–based remote access server You have clients that are not running Microsoft operating systems You have clients running Windows NT version 4.0 and later or, Microsoft Windows 95 and later MS-CHAP v2 MS-CHAP v2 High You have dial-up clients running Windows 2000, or VPN clients running Windows NT 4.0 or Windows 98

Authentication

Extensible Authentication Protocols Allows the Client and Server to Negotiate the Authentication Method That They Will Use Supports Authentication by Using MD5-CHAP Transport Layer Security (TLS) PEAP, Smartcard,... Ensures Support of Future Authentication Methods Through an API

Encryption Protocols Members of this group dial-in profile can use IPSec 56-bit Data Encryption Standard (DES) or MPPE 40-bit data encryption Members of this group dial-in profile can use IPSec 56-bit DES or MPPE 56-bit data encryption Members of this group dial-in profile can use IPSec Triple DES (3DES) or MPPE 128-bit data encryption

Windows Small Business Server 2003 VPN setup & configuration

To Do List

VPN Client-to-LAN VPN Client A VPN extends the capabilities of a private network to encompass links across shared or public networks, such as the Internet, in a manner that emulates a point-to-point link 3 3 VPN server checks the directory to authenticate and authorize the caller VPN server checks the directory to authenticate and authorize the caller 2 2 VPN server answers the call VPN server answers the call 4 4 VPN server transfers data VPN server transfers data VPN client calls the VPN server VPN client calls the VPN server 1 1 Windows Small Business Server Windows Small Business Server VPN Server

Windows Small Business Server Remote Access Wizard This wizard provides on-screen instructions for configuring your server for: VPN connections Dial-up connections Both VPN and dial-up connections VPN connections Dial-up connections Both VPN and dial-up connections After clicking Finish, the wizard: Configures the server according to your selected settings Creates the Client Connection Manager configuration file Configures the remote access policy to allow members of the Mobile Users group to use remote access Configures the server according to your selected settings Creates the Client Connection Manager configuration file Configures the remote access policy to allow members of the Mobile Users group to use remote access

Scenari di esempio e demo

Scenario di connessione router Interne t Router (ISP) SBS rete pubblica (es: /29) rete privata /24.2 xDSL Fibra ottica ISDN... rete pubblica (con NAT) (es: /24) azienda.local

VPN LAN-to-LAN IP Addressing Interoperabilità: cosa cè dallaltra parte? Windows Server 2003 Windows Server 2000/ ISA Server... Differenti versioni di Windows SBS Standard >Windows 2003 Firewall >Remote Access Wizard (Client-to-LAN) >No VPN LAN-to-LAN Wizard Premium >ISA Server! >Remote Access Wizard (Client-to-LAN) >ISA Server wizard per VPN LAN-to-LAN (ISA Server anche dallaltra parte)

Esempio rete VPN LAN-to-LAN Interne t Sede sbs.net SBS (ISA) Filiale privata / pubblica /24 Windows 2003 (ISA) privata /24

Sicurezza e controllo Remote Access Account Lockout (KB816118) Authorizing VPN Connections (Dial-in) Remote Access Policy Profile Packet Filtering Accounting, Auditing, and Monitoring

Riferimenti e risorse Risorse tecniche per Windows Small Business Server ault.mspx ault.mspx Virtual Private Networks for Windows Server ng/vpn/default.mspx ng/vpn/default.mspx Virtual Private Networking with Windows Server 2003: Deploying Remote Access VPNs echnologies/networking/vpndeplr.mspx echnologies/networking/vpndeplr.mspx Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site VPNs echnologies/networking/vpndpls2.mspx echnologies/networking/vpndpls2.mspx

Corsi ed esami MOC Course 2395: Design, Deploy, and Manage a Network Solution for a Small and Medium Business p p Exam : Design, Deploy, and Manage a Network Solution for a Small- and Medium-Sized Business