Ch 10 Setting Up a Virtual Private Network - Sam Bowne

By Ethel Pierce,2014-11-18 09:17
14 views 0
Ch 10 Setting Up a Virtual Private Network - Sam Bowne

    Ch 10: Setting Up A Virtual Private Network


    Explain the components and essential operations of virtual private networks (VPNs) Describe the different types of VPNs

    Discuss VPN setups, such as mesh or hub-and-spoke configurations

    Select the right VPN tunneling protocol for a specific user need

    Define the process of setting up secure remote access for individual users via a VPN Discuss best practices for effective configuration and maintenance of VPNs


    Private leased lines

    Give the user dedicated use of a predefined bandwidth or data rate

    Often used to connect remote users or branch offices to a central administrative site

    Dont scale well


    Function like private leased lines

    Provide a means of secure point-to-point communications over the public Internet

    VPN Components and Operations

    Many telecommunications companies provide VPN services

    Can be set up with special hardware or with firewall software that includes VPN functionality

    Many firewalls have VPN systems built into them

    Goal of a VPN

    Provide a cost-effective and secure way to connect business locations to one another and

    connect remote workers to office networks

    VPN Components


    Hardware and/or software components that perform encryption and encapsulation, VPN connection

    Occurs within the context of a TCP/IP tunnel


    Channel or pathway over a packet network used by the VPN

    Runs through the Internet from one endpoint to another

    Not a physical connection

    Virtual tunnel

    Communications path that makes use of Internet-based hosts and servers to conduct data

    from one network station to another

    Figure on (next page)

    Illustrates that VPNs in fact traverse the public Internet and must therefore handle the

    Internets protocols and procedures

    Devices that form the endpoints of the VPN:

    Server running VPN protocols

    VPN appliance

    Firewall/VPN combination

    Router-based VPN

    Certificate servers

    Manage certificates if that is required

    Client computers

    Run VPN client software

    CNIT 122 - Sam Bowne Page 1 of 11

    Ch 10: Setting Up A Virtual Private Network

Essential Activities of VPNs

    IP encapsulation

    Data payload encryption

    Encrypted authentication

    IP Encapsulation

    Hides the source and destination information of the encapsulated packets

    Encapsulating packet

    Uses the source and destination addresses of the VPN gateway

    Encapsulated packet

    Source and destination IP addresses can be in the private reserved blocks

    Not usually routable over the Internet

    Data Payload Encryption

    Encryption accomplished using:

    Transport mode

    Host encrypts data when it is transmitted

    Header is not encrypted

    CNIT 122 - Sam Bowne Page 2 of 11

    Ch 10: Setting Up A Virtual Private Network

    Tunnel mode

    Traffic encrypted in transit

    Entire packet encrypted, including headers

    Level of encryption varies

    Longer keys makes stronger encryption

    Encrypted Authentication

    Encryption domain

    Everything in the protected network and behind the gateway Authentication

    Hosts in the network need to know that originating host is an approved user of the VPN

    Exchange of long blocks of code, called keys

    Generated by complex formulas called algorithms

    Benefits and Drawbacks of VPNs


    Secure networking without the expense of establishing and maintaining leased lines

    Allow the packet encryption/translation overhead to be done on dedicated systems

    Provide control of physical setup



    If configured improperly, can create significant network vulnerabilities

    Make use of the unpredictable and often unreliable Internet

    Can expose inner workings of network

    If misconfigured

    VPNs Extend Network Boundaries

    VPN users will have a high-speed connection that is always on

    Can be connected to network around the clock

    Exposes your network to viruses & intrusions

    Guidelines for always-on users

    Use two or more authentication tools to identify remote user

    Multifactor authentication

    Integrate virus protection

    Use Network Access Control (NAC)

    Checks security settings on the remote computer before granting access

    Microsoft's Quarantine Server (links Ch 10a, 10b)

    Set usage limits

    Types of VPNs

    Site-to-site VPN

    Links two or more networks


    Makes a network accessible to remote users

    Options for configuring VPNs:

    Hardware systems, software systems, and systems that combine hardware and software

    VPN Appliances

    General-purpose hardware device

    Such as a router

    Configure to use IPSec or another VPN protocol

    Obtain a VPN appliance

    Hardware device specially designed to serve as the endpoint for one or more VPNs

    CNIT 122 - Sam Bowne Page 3 of 11

    Ch 10: Setting Up A Virtual Private Network

Hardware VPN