Network Security/5.5 Virtual Private Networks
What are three ways a VPN can be implemented?
1. A host-to-host VPN allows an individual host connected to the internet to establish VPN connection to another host on the internet. Need the software on both hosts 2. A site-to-site APN uses routers on the edge of each site 3. A remote-access VPN uses a Server (VPN conentrator) configured to accept VPN connections from individual hosts
What are three types of protocols used by a VPN?
1. Carrier Protocol (such as IP) 2. Tunneling Protocol (such as PPTP or L2TP) 3. Passenger Protocol (for the data being transmitted)
Configure a Remote Access VPN You work as the IT security administrator for a small corporate network. Occasionally, you and your co-administrators need to access internal resources when you are away from the office. You would like to set up a Remote Access VPN using pfSense to allow secure access. In this lab, your task is to use the pfSense wizard to create and configure an OpenVPN Remote Access server using the following guidelines: Sign in to pfSense using:Username: admin Password: P@ssw0rd (zero) Create a new certificate authority certificate using the following settings:Name: CorpNet-CA Country Code: GBState: CambridgeshireCity: WoodwaltonOrganization: CorpNet Create a new server certificate using the following settings:Name: CorpNetCountry Code: GBState: CambridgeshireCity: Woodwalton Configure the VPN server using the following settings:Interface: WANProtocol: UDP on IPv4 only Description: CorpNet-VPNTunnel network IP: 198.28.20.0/24Local network IP: 198.28.56.18/24Concurrent Connections: 4DNS Server 1: 198.28.56.1 Configure the following: A firewall rule An OpenVPN rule Set the OpenVPN server just created to Remote Access (User Auth). Create and configure the following standard remote VPN users: Username : blindley Password: L3tM31nNow Full Name: BrianLindley Username: jphillips Password: L3tM31nToo Full Name: Jacob Phillips
1. Sign into the pfSense management console In the Username field, enter admin. In the Password field, enter P@ssw0rd (zero). Select SIGN IN or press Enter. 2. Start the VPN wizard and select the authentication backend type: From the pfSense menu bar, select VPN > OpenVPN. From the breadcrumb, select Wizards. Under Select an Authentication Backend Type, make sure Local User Access is selected. Select Next. 3. Create a new certificate authority certificate: For Descriptive Name, enter CorpNet-CA. For Country Code, enter GB. For State, enter Cambridgeshire. For City, enter Woodwalton. For Organization, enter CorpNet. Select Add new CA. 4. Create a new server certificate: For Descriptive Name, enter CorpNet. Verify that all of the previous changes (Country Code, State/Providence, and City) are the same. Use all other default settings. Select Create new Certificate. 5. Configure the VPN server: a: Under General OpenVPN Server Information: Use the Interface drop-down menu to select WAN. Verify that the Protocol is set to UDP on IPv4 only. For Description, enter CorpNet-VPN. b. Under Tunnel Settings: For Tunnel Network, enter 198.28.20.0/24. For Local Network, enter 198.28.56.18/24. For Concurrent Connections, enter 4. c. Under Client Settings, in DNS Server1, enter 198.28.56.1. d. Select Next 6. Configure the firewall rules.: Under Traffic from clients to server, select Firewall Rule. Under Traffic from clients through VPN, select OpenVPN rule. Select Next. Select Finish. 7. Set the OpenVPN server just created to Remote Access (User Auth): For the WAN interface, select the Edit Server icon (pencil). For Server mode, use the drop-down and select Remote Access (User Auth). Scroll to the bottom and select Save. 8. Configure the following Standard VPN users: From the pfSense menu bar, select System > User Manager. Select Add. Configure the User Properties as follows: Username: Username Password: Password Full name: Fullname Scroll to the bottom and select Save. Repeat steps 8b-8d to created the remaining VPN users.
Transport Layer Security (TLS)
A protocol that evolved from SSL and provides privacy and data integrity between two communicating applications Authenticates the server to the client, using public key cryptography and digital certificates Encrypts the entire communication session Uses port 443 or port 30
Virtual Private Network
A remote access connection that uses encryption to securely send data over an untrusted network
What is a VPN concentrator?
A server configured to accept VPN connections from individual hosts. This is located on the edge of the network This establishes multiple connections with multiple hosts.
Internet Protocol Security (IPsec)
A set of protocols that provides security (authentication and encryption) for internet protocol that can be used in conjunction with L2TP or to set up a VPN solution Authentication Header (AH) provides authentication features. Use AH to enable authentication with IPsec. Encapsulating Security Payload (ESP) provides data encryption. Use ESP to encrypt data
Point-to-Point Tunneling Protocol(PPTP)
An early tunneling protocol developed by Microsoft Uses standard authentication protocols, such as Challenge-Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) Supports TCP/IP only Encapsulates other LAN protocols and carries the data securely over an IP network Uses Microsoft's MPPE for data encryption Is supported by most operating systems and servers Uses TCP port 1723
Layer 2 Tunneling Protocol (L2TP)
An open standard for secure multi-protocol routing Operates at the Data Link layer (Layer 2) Supports multiple protocols (not just IP) Uses IPsec for encryption. Combining L2TP with IPsec (called L2TP/IPsec) provides:Per-packet data-origin authentication (non-repudiation)Replay protectionData confidentiality Is not supported by older operating systems Uses TCP port 1701 and UDP port 500
Tunneling
Communication method that encrypts packet contents and encapsulates them for routing through a public network
Which VPN protocol typically employs IPsec as its data encryption mechanism?
L2TP L2TP (Layer 2 Tunneling Protocol) is the VPN protocol that typically employs IPsec as its data encryption mechanism. L2TP is the recommended VPN protocol to use on dial-up VPN connections. PPTP and PPP only support CHAP and PAP for data encryption. L2F offers no data encryption.
Which of the following VPN protocols is no longer considered secure?
PPTP Point-to-Point Tunneling Protocol (PPTP) was one of the first VPN protocols and was developed by Microsoft. It is no longer considered secure and is essentially obsolete. Internet Protocol Security (IPsec) provides authentication and encryption, and it can be used in conjunction with L2TP or by itself as a VPN solution. IPSec is still considered very secure. The Secure Sockets Layer (SSL) Protocol has long been used to secure traffic generated by other IP protocols, such as HTTP, FTP, and email. SSL can also be used as a VPN solution, typically in a remote access scenario. Transport Layer Security (TLS) Protocol works in a similar way to SSL, even though they are not interoperable.
Which VPN implementation uses routers on the edge of each site?
Site-to-site VPN A site-to-site VPN uses routers on the edge of each site. The routers are configured for a VPN connection and encrypt and decrypt the packets being passed between the sites. With this configuration, individual hosts are unaware of the VPN. A host-to-host VPN allows an individual host connected to the internet to establish a VPN connection to another host on the internet. Both devices must be configured for a VPN connection and have the software to encrypt and encapsulate the packets. A remote access VPN uses a server (called a VPN concentrator) configured to accept VPN connections from individual hosts. An always-on VPN employs the concept that a user is always on the VPN, whether physically within the LAN or remotely. There is no turning it on or off. All traffic is basically fully tunneled.
Which VPN tunnel style routes only certain types of traffic?
Split A VPN split tunnel routes only certain types of traffic, usually determined by destination IP address, through the VPN tunnel. All other traffic is passed through the normal internet connection. A full VPN tunnel routes all of a user's network traffic through the VPN tunnel. This can sometimes send traffic that is not necessary. A site-to-site VPN is a VPN implementation that uses routers on the edge of each site. A host-to-host VPN implementation allows an individual host connected to the internet to establish a VPN connection to another host on the internet.
A VPN is primarily used for which of the following purposes?
Support secured communications over an untrusted network
Which statement BEST describes IPsec when used in tunnel mode?
The entire data packet, including headers, is encapsulated When using IPsec in tunnel mode, the entire data packet, including original headers, is encapsulated. New encrypted packets are created with headers indicating only the endpoint addresses. Tunneling protects the identities of the communicating parties and original packet contents. Tunneling is frequently used to secure traffic traveling across insecure public channels, such as the internet. IPsec in tunnel mode is the most common configuration for gateway-to-gateway communications. In transport mode, routing is performed using the original headers; only the packet's payload is encrypted. Transport mode is primarily used in direct host-to-host communication outside of a dedicated IPsec gateway/firewall configuration.
What function do VPN endpoints provide?
They encrypt and decrypt packets. Create secure virtual communication channel. Only destination tunnel endpoint can unwrap packets an decrypt the packet contents
Layer 2 Forwarding (L2F)
A tunneling protocol developed by Cisco to establish virtual private network connection over the internet Operates at the Data Link layer (Layer 2) Offers mutual authentication Does not encrypt data Merged with PPTP to create L2TP
Secure Socket Layer (SSL)
A well-established protocol to secure IP protocols such as HTTP and FTP Authenticates the server to the client using public key cryptography and digital certificates Encrypts the entire communication session Uses port 443, which is a port that is often already open in most firewalls
A salesperson in your organization spends most of her time traveling between customer sites. After a customer visit, she must complete various managerial tasks, such as updating your organization's order database. Because she rarely comes back to your home office, she usually accesses the network from her notebook computer using Wi-Fi access provided by hotels, restaurants, and airports. Many of these locations provide unencrypted public Wi-Fi access, and you are concerned that sensitive data could be exposed. To remedy this situation, you decide to configure her notebook to use a VPN when accessing the home network over an open wireless connection. Which key steps should you take when implementing this configuration? (Select two.)
Configure the VPN connection to use IPsec Configure the browser to send HTTPS requests through the VPN connection It is generally considered acceptable to use a VPN connection to securely transfer data over an open Wi-Fi network. As long as strong tunneling ciphers and protocols are used, the VPN provides sufficient encryption to secure the connection, even though the wireless network itself is not encrypted. It is recommended that you use IPsec or SSL to secure the VPN, as these protocols are relatively secure. You should also configure the browser's HTTPS requests to go through the VPN connection. To conserve VPN bandwidth and improve latency, many VPN solutions automatically reroute web browsing traffic through the client's default network connection instead of through the VPN tunnel. This behavior would result in HTTP/HTTPS traffic being transmitted over the unsecure open wireless network instead of though the secure VPN tunnel. Avoid using PPTP with MS-CHAPv2 in a VPN over open wireless configuration, as these protocols are no longer considered secure.
Which IPSec subprotocol provides data encryption?
ESP Encapsulating Security Payload (ESP) Protocol provides data encryption for IPSec traffic. Authentication Header (AH) provides message integrity through authentication, verifying that data is received unaltered from the trusted destination. AH provides no privacy and is often combined with ESP to achieve integrity and confidentiality.
In addition to Authentication Header (AH), IPsec is comprised of what other service?
Encapsulating Security Payload (ESP) IPsec is comprised of two services. One service is named Authentication Header (AH), and the other named Encapsulating Security Payload (ESP). AH is used primarily for authenticating the two communication partners of an IPsec link. ESP is used primarily to encrypt and secure the data transferred between IPsec partners. IPSec employs ISAKMP for encryption key management.
A group of salesmen would like to remotely access your private network through the internet while they are traveling. You want to control access to the private network through a single server. Which solution should you implement?
VPN concentrator
