Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh.

Published byMelissa Armstrong Modified over 8 years ago

Similar presentations

Presentation on theme: "Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh."— Presentation transcript:

1 Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh

2 Mar 27, 2000IETF 47 - Pyda Srisuresh2 Enterprise Trust Model Enterprise Intranet is trusted. Direct-Dial (PSTN) PPP/IP access is an extension of Intranet and is also trusted. Employees (on-site or remote) are trusted. L2TP/PPP/IP over a public Internet cannot be trusted because: –LAC & LNS are not in the same administrative domain. –Employee-to-Enterprise IP traffic can be prone to security violation by the Internet or the LAC.

3 Mar 27, 2000IETF 47 - Pyda Srisuresh3 Remote Access Server highlights Provides link-level authentication, authorization and accounting services. Static/Dynamic IP address assignment to remote user from an enterprise address pool. Provides host-route connectivity to remote user and monitors link status. Uses RADIUS to provide the AAA services so it can scale to large no. of remote users.

4 Mar 27, 2000IETF 47 - Pyda Srisuresh4 LNS as a NAS L2TP control messages allow an LNS to be virtually same as a NAS that physically terminates PPP sessions. L2TP adds tunneling overhead reducing the effective throughput and path MTU size. Remote user IP packets (embedded in PPP and transported over a public Internet) fail the enterprise trust model.

5 Mar 27, 2000IETF 47 - Pyda Srisuresh5 SRAS extensions to LNS LNS & IPsec Security gateway functions reside on the same SRAS node. 3 new security parameters configurable on a per-user basis on RADIUS. End user IP data traffic can be guaranteed to be IPsec secure (user-to-SRAS) in both directions with no additional admin. setups. IPsec/IKE SA monitoring can be linked to the virtual PPP link staying alive.

6 Mar 27, 2000IETF 47 - Pyda Srisuresh6 Proposed RADIUS parameters IPSEC_MANDATE - Mandate IPsec security on the user-to-SRAS data traffic. None (=0) - Not required. LNS_AS_RAS (=1) - Required when terminating on an LNS (i.e., virtual NAS). SRAS(=2) - Required on any NAS. SECURITY_PROFILE - An IPsec security profile name containing the following: Access control security filters Security preferences for Security Assocations Secury Key generation source - Manual or IKE Backup-NAT devices Management utilities enforcing NAT policies

7 Mar 27, 2000IETF 47 - Pyda Srisuresh7 Proposed RADIUS parameters cont. IKE_NEGOTIATION_PROFILE - An IKE negotiation profile name containing the following: IKE ID of the user and SRAS Preferred authentication approach and the associated parameters such as Pre-Shared-Key (or) a pointer to X.509 digital certificate ISAKMP security negotiation preferences for phase I

8 Mar 27, 2000IETF 47 - Pyda Srisuresh8 Limitations to SRAS approach IPsec Tunneling overhead on top of L2TP tunneling overhead further reduces throughput and effective path MTU size. Multiple IDentity and authentication requirements on end-user. Link level authentication is prone to session stealing over the Internet, unless better link authentication schemes are employed.

Download ppt "Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh."

Similar presentations

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.

Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Layer 2 Tunneling Protocol (L2TP)

Layer 2 Tunneling Protocol (L2TP)
IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,

IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
DSL Access Architectures and Protocols. xDSL Architecture.

DSL Access Architectures and Protocols. xDSL Architecture.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Virtual Private Networks and IPSec

Virtual Private Networks and IPSec

Similar presentations

Ads by Google