Ch 10 Setting Up a Virtual Private Network - Sam Bowne

By Ethel Pierce,2014-11-18 09:17
16 views 0
Ch 10 Setting Up a Virtual Private Network - Sam Bowne

    Ch 10: Setting Up A Virtual Private Network


    Explain the components and essential operations of virtual private networks (VPNs) Describe the different types of VPNs

    Discuss VPN setups, such as mesh or hub-and-spoke configurations

    Select the right VPN tunneling protocol for a specific user need

    Define the process of setting up secure remote access for individual users via a VPN Discuss best practices for effective configuration and maintenance of VPNs


    Private leased lines

    Give the user dedicated use of a predefined bandwidth or data rate

    Often used to connect remote users or branch offices to a central administrative site

    Dont scale well


    Function like private leased lines

    Provide a means of secure point-to-point communications over the public Internet

    VPN Components and Operations

    Many telecommunications companies provide VPN services

    Can be set up with special hardware or with firewall software that includes VPN functionality

    Many firewalls have VPN systems built into them

    Goal of a VPN

    Provide a cost-effective and secure way to connect business locations to one another and

    connect remote workers to office networks

    VPN Components


    Hardware and/or software components that perform encryption and encapsulation, VPN connection

    Occurs within the context of a TCP/IP tunnel


    Channel or pathway over a packet network used by the VPN

    Runs through the Internet from one endpoint to another

    Not a physical connection

    Virtual tunnel

    Communications path that makes use of Internet-based hosts and servers to conduct data

    from one network station to another

    Figure on (next page)

    Illustrates that VPNs in fact traverse the public Internet and must therefore handle the

    Internets protocols and procedures

    Devices that form the endpoints of the VPN:

    Server running VPN protocols

    VPN appliance

    Firewall/VPN combination

    Router-based VPN

    Certificate servers

    Manage certificates if that is required

    Client computers

    Run VPN client software

    CNIT 122 - Sam Bowne Page 1 of 11

    Ch 10: Setting Up A Virtual Private Network

Essential Activities of VPNs

    IP encapsulation

    Data payload encryption

    Encrypted authentication

    IP Encapsulation

    Hides the source and destination information of the encapsulated packets

    Encapsulating packet

    Uses the source and destination addresses of the VPN gateway

    Encapsulated packet

    Source and destination IP addresses can be in the private reserved blocks

    Not usually routable over the Internet

    Data Payload Encryption

    Encryption accomplished using:

    Transport mode

    Host encrypts data when it is transmitted

    Header is not encrypted

    CNIT 122 - Sam Bowne Page 2 of 11

    Ch 10: Setting Up A Virtual Private Network

    Tunnel mode

    Traffic encrypted in transit

    Entire packet encrypted, including headers

    Level of encryption varies

    Longer keys makes stronger encryption

    Encrypted Authentication

    Encryption domain

    Everything in the protected network and behind the gateway Authentication

    Hosts in the network need to know that originating host is an approved user of the VPN

    Exchange of long blocks of code, called keys

    Generated by complex formulas called algorithms

    Benefits and Drawbacks of VPNs


    Secure networking without the expense of establishing and maintaining leased lines

    Allow the packet encryption/translation overhead to be done on dedicated systems

    Provide control of physical setup



    If configured improperly, can create significant network vulnerabilities

    Make use of the unpredictable and often unreliable Internet

    Can expose inner workings of network

    If misconfigured

    VPNs Extend Network Boundaries

    VPN users will have a high-speed connection that is always on

    Can be connected to network around the clock

    Exposes your network to viruses & intrusions

    Guidelines for always-on users

    Use two or more authentication tools to identify remote user

    Multifactor authentication

    Integrate virus protection

    Use Network Access Control (NAC)

    Checks security settings on the remote computer before granting access

    Microsoft's Quarantine Server (links Ch 10a, 10b)

    Set usage limits

    Types of VPNs

    Site-to-site VPN

    Links two or more networks


    Makes a network accessible to remote users

    Options for configuring VPNs:

    Hardware systems, software systems, and systems that combine hardware and software

    VPN Appliances

    General-purpose hardware device

    Such as a router

    Configure to use IPSec or another VPN protocol

    Obtain a VPN appliance

    Hardware device specially designed to serve as the endpoint for one or more VPNs

    CNIT 122 - Sam Bowne Page 3 of 11

    Ch 10: Setting Up A Virtual Private Network

Hardware VPN

Software VPN Systems

    Less expensive than hardware systems

    Tend to scale better on fast-growing networks

    Use policy manager systems

    For enterprise-wide software distribution, policy creation, and management

    Allows multiple configuration profiles for end users

    SSL-based VPNs

    Use the SSL protocol instead of IPSec

    Only allow access to Web-enabled applications VPN Combinations of Hardware and Software

    Implement a VPN appliance at the central network

    Use client software at the remote end of each VPN connection

    Client mode

    Concentrator acts as a software client

    Network extension mode

    Concentrator acts as a hardware device

    Enables a secure site-to-site VPN connection Mixed Vendor VPNs

    Might have different vendors for:


    Client software

    VPN termination

    Pick a standard security protocol that is widely supported by all the devices

    Such as IPSec

    CNIT 122 - Sam Bowne Page 4 of 11

    Ch 10: Setting Up A Virtual Private Network VPN Setups

    When three or more networks or individuals need to be connected:

    Mesh configuration

    Hub-and-spoke arrangement

    Hybrid setup

    Mesh Configuration

    Each participant has an approved relationship with every other participant

    Called a security association (SA)

    Need to specifically identify each of these participants to every other participant that uses the


    Figure 10-5

    Four separate LANs are joined in a mesh VPN

Hub-and-Spoke Configuration

    Single VPN router contains records of all SAs in the VPN

    Any LANs or computers need to connect to the central server

    Makes it easy to increase the size of the VPN

    As more branch offices or computers are added

    Central point of administration is more secure

    Drawback: centralization slows down communications CNIT 122 - Sam Bowne Page 5 of 11

    Ch 10: Setting Up A Virtual Private Network

    Hub-and-Spoke VPN

Hybrid Configuration

    Mesh configurations tend to operate more efficiently

    As branch offices are added

    Add as spokes that connect to a central VPN router at the central office

    Hybrid setup

    Combines the two configurations

    Benefits from the strengths of each one

    Configurations and Extranet and Intranet Access


    Each end of the VPN represents an extension of your organizational network to a new


    Each remote user or business partner should have firewalls and antivirus software


    CNIT 122 - Sam Bowne Page 6 of 11

    Ch 10: Setting Up A Virtual Private Network


    Give parts of organization access to other parts

    VPN users inside organization should have usage limits and antivirus and firewall


    Tunneling Protocols Used with VPNs

    Widespread acceptance of the IPSec protocol with the Internet Key Exchange (IKE) system

    Proprietary protocols are used far less often than in the past



    Standard for secure encrypted communications

    Two security methods:

    Authenticated Headers (AH) and Encapsulating Security Payload (ESP)

    Different modes:

    Transport mode and tunnel mode

    However, tunnel mode IPSec does not provide user authentication, so Kerberos or some other

    authentication protocol will be needed as well

    Transport Mode v. Tunnel Mode

    Transport mode

    Host encrypts data when it is transmitted

    Header is not encrypted

    Can be used to reach any IP address

    Tunnel mode

    Traffic encrypted in transit

    Entire packet encrypted, including headers

    Intended for point-to-point tunnel between two fixed IP addresses IKE (Internet Key Exchange)

    Means of using public key cryptography to encrypt data between LANs or between a

    client and a LAN

    Provides for the exchange of public and private keys

    If VPN uses more than one kind of firewall

    Check with the manufacturers of those firewalls to see if their products will work with

    the other firewalls you have


    Point-to-Point Tunneling Protocol (PPTP)

    Commonly used to a network using a dial-in modem connection Uses Microsoft Point-to-Point Encryption (MPPE)

    Useful if support for older clients is needed


    Layer 2 Tunneling Protocol (L2TP)

    Extension of the protocol long used to establish dialup connections on the Internet Uses IPSec rather than MPPE to encrypt data

    Provides secure authenticated remote access by encapsulating data into packets that are sent over

    a PPP channel

    CNIT 122 - Sam Bowne Page 7 of 11

    Ch 10: Setting Up A Virtual Private Network PPP Over SSL and PPP Over SSH

    Point-to-Point Protocol (PPP) over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP)

    Over Secure Shell (SSH)

    UNIX-based methods for creating VPNs

    Combine an existing tunnel system (PPP) with a way of encrypting data in transport (SSL or



    Public key encryption system

    Used to provide secure communications over the World Wide Web

Enabling Remote Access Connections Within VPNs

    Issue VPN client software user

    Make sure the users computer is equipped with antivirus software and a firewall

    May need to obtain a key for the remote user

    Configuring the Server

    Firewall-based VPN

    Identify the client computer

    Major operating systems incorporate their own methods of providing secure remote


    Linux: IP Masquerade

    Similar to a transparent proxy (links Ch 10c, 10d)

    Windows: Wizard that makes it easy to set up a workstation to make a VPN connection

    Configuring Clients

    Configure each client that wants to use the VPN

    Consider whether:

    The client software will work with all client platforms

    The client workstation is itself protected by a firewall

    All users of VPN extend the LAN

    Open up a new hole through which viruses and hackers can gain access VPN Best Practices

    Security policy rules that specifically apply to the VPN

    Integration of firewall packet filtering with VPN traffic

    Auditing the VPN to make sure it is performing acceptably CNIT 122 - Sam Bowne Page 8 of 11

    Ch 10: Setting Up A Virtual Private Network The Need for a VPN Policy

    Essential for:

    Identifying who can use the VPN

    Ensuring that all users know what constitutes proper use of the VPN

    Policy should state:

    Who should have VPN access to network

    Whether authentication is to be used and how it is to be used

    Whether split tunneling is permitted

    How long users can be connected using the VPN at any one session

    Whether virus protection is included

    Connecting from Personal Computers

    Remote users must be carefully trained

    Understand that all organizational security policies apply during VPN use

    Even when connecting from personal equipment

    Packet Filtering and VPNs

    Decide where data encryption and decryption will be performed in relation to packet filtering

    Figure 10-11

    Encryption and decryption outside the packet-filtering perimeter






CNIT 122 - Sam Bowne Page 9 of 11

    Ch 10: Setting Up A Virtual Private Network

    Figure 10-12

    Encryption and decryption performed inside the packet-filtering perimeter using the

    tunnel method

    Tunnel Encryption (Encryption does not Prevent Filtering)

PPTP Filters

    PPTP uses TCP 1723 as the control channel

    It also uses Generic Routing Encapsulation to carry data

    Protocol ID 47

    Link Ch 10e

CNIT 122 - Sam Bowne Page 10 of 11

Report this document

For any questions or suggestions please email