CYBR 4200 - Chapter 10
Hub-and-Spoke Configuration
For fast-growing networks a single VPN router contains records of all SAs in the VPN. Any LANs or computers that want to participate in the VPN only need to connect to the central server makes it easy to increase the size of the VPN ideally suited for communications within an organization that has a central main office and a number of branch offices. the requirement that all communications flow into and out of the central router slows down communications the central router must have double the bandwidth of other connections
Essential Activities of VPNs
IP encapsulation Data payload encryption Encrypted authentication
Data Payload Encryption
VPNs is that they can be implemented to fully or partially encrypt the data portion of the packets that are passing through them Transport mode Tunnel mode
how the testing of file transferring might work
1. After the remote user connects to your network, tell him or her to start up a Web browser and connect to your server. 2. Enter the username and password needed to access the server when prompted. 3. Locate the files to be transferred. .....
how the testing of a VPN client might work
1. Issue VPN client software and a certificate to the remote user. 2. Call the remote user on the phone and lead him or her through the process of installing the software and storing the certificate. 3. If you are using IPSec, verify with the remote user that the IPSec policies are the same on both the remote user's machine and on your VPN gateway. 4. Tell the user to start up the VPN software and connect to your gateway. 5. Tell the user to start up the VPN software and connect to your gateway. 6. After the connection is established, the remote user should authenticate by entering his or her username and password when prompted to do so.
The process of establishing an IPSec/IKE VPN connection
1. The host or gateway at one end of the VPN sends a request to a host or gateway at the other end, asking to establish a connection 2. The remote host or gateway generates a random number and sends a copy of the number back 3. The original machine encrypts its preshared key using the random number and sends the preshared key 4. The remote host decrypts the preshared key and compares it to its own preshared key or, if it has multiple keys, a set of keys called a keyring. 5. The original machine uses the public key to establish a security association (SA) between the two machines
The devices that form the endpoints of the VPN can be any of the following:
A server running VPN protocols (e.g., IPSec) A VPN appliance, which is a special hardware device devoted to setting up VPN communications A firewall/VPN combination: Many high-end firewall programs support VPN setups as part of their built-in features. A router-based VPN: Routers that support IPSec can be set up at the perimeter of the LANs to be connected. - IPSec concentrators. - use a complex set of security protocols to protect information
SSL-based VPNs
An increasingly popular alternative for remote access to Web-enabled applications make use of the SSL protocol (instead of IPSec) only allow access to Web-enabled applications.
Table 10-1
IPSec/IKE - Rapidly becoming the protocol of choice for VPN connections of all sorts; should be used when the other protocols are not acceptable PPTP - When a dial-up user has an old system that doesn't support L2TP and needs to use PPP to establish a VPN connection to your network L2TP - When a dial-up user needs to establish a VPN connection with your network (L2TP provides stronger protection than PPTP.) PPP Over SSL - When a UNIX user needs to create a VPN connection "on the fly" by connecting to the SSL port on a server PPP Over SSH - When a UNIX user needs to create a VPN connection "on the fly" over the UNIX secure shell (SSH) and both parties know the secret key in advance
Enabling Remote Access Connections Within VPNs
If users in disparate locations need to connect to the central network via a VPN, a remote access connection is needed VPN is a good way to secure communications with users who need to connect remotely by dialing into their ISP and establishing connections to the organizational network you need to issue VPN client software to that user make sure the user's computer is equipped with antivirus software and a firewall. may need to obtain a key for the remote user if you plan to use IPSec you may encounter the problem of having to find a phone provider that will have dial-up numbers in all locations. you may have to sign up with several different providers to obtain dial-up access from certain locations.
Tunneling Protocols Used with VPNs
In the past, firewalls that provided for the establishment of VPNs used proprietary protocols Today, the widespread acceptance of the IPSec protocol with the Internet Key Exchange (IKE) system
L2TP and IPSec Packet-Filtering Rules
L2TP uses IPSec to encrypt traffic as it passes through the firewall, set up packet-filtering rules that cover IPSec traffic Table 10-3 shows the filter rules you would use for remote users at IP addresses
Connecting from Personal Computers
One of the most troublesome aspects of allowing users remote access remote users must be carefully trained to understand that even when they access the organizational network from a personally owned piece of equipment, all organizational security policies (permitted use, required antivirus measures, etc.) apply during that use. It would not be appropriate for a content filter or a software license metering program to block employees from such personal uses
VPN Appliances
One way to set up a VPN is to use a general-purpose hardware device Another option is to obtain a VPN appliance,
PPTP Filters
PPTP is commonly used when older clients need to connect to a network through a VPN or when a tunnel must pass through a firewall that performs NAT. you need to set up packet-filtering rules that permit such communications Incoming PPTP connections arrive on TCP port 1723 PPTP packets use Generic Routing Encapsulating (GRE) packets that are identified by the protocol identification number ID 47 Filter rules, Table 10-12
Packet Filtering and VPNs
You can do encryption and decryption either outside the packet-filtering perimeter or inside it. packet filtering might be done by the firewall itself the same firewall may provide VPN services, or a separate VPN appliance may be used instead of a firewall-based VPN
Transport mode
The host encrypts traffic when it is generated; the data part of packets is encrypted, but not the headers. commonly used for remote client-to-server communications, as in teleworking.
VPN Best Practices
The successful operation of a VPN depends not only on its hardware and software components and overall configuration but also on a number of best practices. security policy rules that specifically apply to the VPN, integration of firewall packet filtering with VPN traffic, auditing the VPN to make sure it is performing acceptably.
Tunnel mode
The traffic is encrypted and decrypted in transit, somewhere between the source computer that generated it and its destination. both the header and the data portions of packets are encrypted.
Configuring Clients
This involves installing and configuring VPN client software or, in the case of a Windows-to-Windows network, using the Network Connection Wizard most important things to consider: whether your client software will work with all client platforms and whether the client workstation is itself protected by a firewall. All users who dial in to the LAN using a VPN extend the LAN and open up a new "hole" through which viruses and hackers can gain access
suggestions for how to deal with the increased risk
Use two or more authentication tools to identify remote users Integrate virus protection Use Network Access Control (NAC) Set usage limits
Hybrid Configuration
a VPN that starts out as a mesh design or hub-and-spoke design often evolves into a mixture of the two. you don't need to exclusively use one configuration or another the central core linking the most important branches of the network should probably be a mesh configuration. as branch offices are added, they can be added as spokes that connect to a central VPN router at the central office Time-critical communications with branch offices should be part of the mesh configuration. ar-flung offices, such as overseas branches, can be part of a hub-and-spoke configuration combines the two configurations benefits from the strengths of each one—the scalability of the hub-and-spoke option and the speed of the mesh option. try to have the branch offices that participate in the VPN use the same ISP - minimize the number of "hops"
virtual tunnel i
a communications path that makes use of Internet-based hosts and servers to conduct data from one network station to another,
Network Access Control (NAC)
a computer networking philosophy and a related set of protocols that are together used to evaluate the trustworthiness of a client wishing to join a network
VPN Setups
a mesh configuration, a hub-and-spoke arrangement, or a hybrid setup
virtual private networks (VPNs)
a solution for specific types of private communication channels: function like private leased lines encapsulate and encrypt the data being transmitted use authentication to ensure that only approved users can access the VPN. provide a means of secure point-to-point communications over the public Internet.
any type of VPN needs to be able to work with
any number of different operating systems or types of computers.
security association (SA)
approved relationship in VPN with every other participant.
VPN Components and Operations
can be set up with special hardware or with firewall software that includes VPN functionality. Many firewalls have VPN systems built into them because the rules that apply to the VPN are part of the firewall's existing security policy
Point-to-Point Tunneling Protocol (PPTP)
commonly used by remote users who need to connect to a network using a dial-in modem connection. uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data older technology than the other dial-in tunneling protocol, L2TP, useful if support for older clients is needed useful because packets sent using PPTP can pass through firewalls that perform Network Address Translation (NAT)
Drawbacks of VPNs
complex can create significant network vulnerabilities make use of the unpredictable and often unreliable Internet. if your VPN's authorization is not configured properly, you can easily expose the inner workings of your organization's network.
network extension mode
concentrator acts as a hardware device enabling a secure site-to-site VPN connection.
client mode
concentrator acts as a software client, enabling users to connect to another remote network via a VPN.
Configuring the Server
configuring the server to accept incoming connections If you use a firewall-based VPN, you need to identify the client computer major operating systems incorporate their own methods of providing secure remote access Linux - use the IP Masquerade feature built into the Linux kernel. - VPN Masquerade, enables remote users to connect to the Linux-based firewall using either PPTP or IPSec Windows - includes a Wizard that makes it particularly easy to set up a workstation to make a VPN connection - can also be set up to allow incoming VPN connections. - they need to configure their home router/ firewalls to allow the connection.
Configurations and Extranet and Intranet Access
creating VPNs that connect business partners and other branches of your own organization raises a number of questions and considerations. Each end of the VPN represents an extension of your organizational network to a new location - you are, in effect, creating an extranet. - The same security measures you take to protect your own network should be applied to the endpoints of the VPN. VPNs can also be used to give parts of your own organization access to other parts through an organizational intranet. Leaving the VPN connection "always on" can enable an unscrupulous staff to gain access to organizational resources that they are not allowed to use VPN users inside your organization should have usage limits and antivirus and firewall protection, just as outside users should
Mesh Configuration
each participant (i.e., network, router, or computer) in the VPN has an approved relationship specifically identify each of these participants to every other participant that uses the VPN. Before initiating a connection, each VPN hardware or software terminator checks its routing table or SA table to see if the other participant has an SA with it. Each LAN has the ability to establish VPN communications with all of the other participants in each of the other LAN segments If a new LAN is added to the VPN, all other VPN devices must be updated every host that needs to use the VPN in each of the LANs must be equipped with sufficient memory to operate the VPN client SW difficulty associated with expanding the network and updating every VPN device whenever a host is added.
Asymmetric keys:
each participant has two different keys: a private key and a complementary public key. participants in the transaction exchange their public keys. When recipients receive the encrypted messages, they can decrypt them using their private keys.
The Need for a VPN Policy
essential for identifying who can use the VPN and for ensuring that all users know what constitutes proper use of the VPN. can be a separate stand-alone policy, or it may be a clause should spell out who should have VPN access to your organizational network should also state whether authentication is to be used and how it is to be used, whether split tunneling (two connections over a VPN line) is permitted how long users can be connected using the VPN at any one session whether virus protection is included,
Encrypted Authentication
everything in the protected network and behind the gateway. The same cryptographic system that protects the information within packets can be used to authenticate computers Hosts are authenticated by exchanging long blocks of code, called keys, that are generated by complex formulas called algorithms. Symmetric keys
Endpoints
hardware and/or software components that perform the following: encryption to secure data, authentication to make sure the host requesting the data is an approved user of the VPN, and encapsulation, the inclusion of one data structure inside another data structure -helps protect the integrity of the information being sent.
VPN appliance
hardware device specially designed to serve as the endpoint for one or more VPNs and connect multiple LANs permit connections between large numbers of users or multiple networks don't provide other services, such as file sharing and printing. If the server goes offline or crashes the hardware VPN appliance doesn't go offline hardware systems may enable you to connect more tunnels and users than comparably priced software-only systems.
VPNs have two types of components:
hardware devices and software that performs security-related activities. Each VPN connection has two endpoints. A VPN connection occurs within the context of a TCP/IP tunnel a VPN uses a virtual tunnel between two endpoints. traverse the public Internet and must therefore handle the Internet's protocols and procedures. Each LAN's communications first go to its gateway and then to its backbone network and servers. ISPs involved may or may not be connected to the Internet backbone Certificate servers
Layer 2 Tunneling Protocol (L2TP)
incompatible with NAT provides a higher level of encryption and authentication. an extension of the protocol long used to establish dial-up connections on the Internet, PPP uses IPSec rather than MPPE to encrypt data sent over PPP provides secure authenticated remote access by encapsulating data into packets that are sent over a PPP channel initiating host machine makes a connection to a modem using PPP and then transmits those PPP data packets to be forwarded hen the data reaches that remote access server, its payload is unpacked and forwarded to the destination host
IP Encapsulation
information that passes to and from TCP/IP-based networks travels in manageable chunks called packets the process of enclosing one packet within another one that has different IP source and destination information. hides the source and destination information of the encapsulated packets; the encapsulating packet uses the source and destination addresses of the VPN gateway gateway might be a router that uses IPSec, a VPN appliance, or a firewall that functions as a VPN source and destination IP addresses of the encapsulated packets can be in the private reserved blocks
VPNs Extend Network Boundaries
it's increasingly likely that the contractors, vendors, and telecommuters who connect to an organization's internal network through a VPN will have a high-speed connection that is always on Unless you specifically place limits on how long such employees can use the VPN, they can be connected to your network around the clock. each VPN connection extends your network to a location that is out of your control, each such connection can open up your network to intrusions, viruses, or other problems. take extra care with users who connect to the VPN through always-on connections provisions should be supported by the organization's security policies, and requirements for their enforcement should be written into any agreements with business partners or contractors
Software VPN Systems
less expensive they tend to scale better on fast-growing networks products support traveling employees who need private access to an organizational LAN or intranet from any dial-up location, IT staff who need the ability to secure internal networks and partition parts of the network organizational partners who require secure connections to a company's data network for business collaboration. also use policy manager systems for enterprise-wide software distribution, policy creation, and management. Settings can be based on "role-based policies." all installations and maintenance can be performed from a single central location.
a site-to-site VPN.
links two or more networks
client-to-site VPN
makes a network accessible to remote users who need dial-in access
Certificate servers
manage certificates if that is required, and client computers that run VPN client software, which lets remote users connect to the LAN over the VPN.
Introduction
organizations routinely combine two or more LANs to facilitate point-to-point communications over a secure line that can be accessed by no one else Private leased lines often used to connect remote users or branch offices to a central administrative site - don't scale well
goal of a VPN
provide a cost-effective and secure way to connect business locations to one another and connect remote workers to office networks. all branches can communicate via a LAN-based file-sharing protocol, such as NetBIOS or AppleTalk.
Benefits of VPNs
secure networking without the expense of establishing and maintaining leased lines encryption/translation overhead to be done on dedicated systems, decreasing the load placed on production machines control the physical setup and therefore decide upon data encryption levels
leased lines
services purchased from a service provider that give the user dedicated use of a predefined bandwidth or data rate
IPSec/IKE
standard for secure encrypted communications developed by the Internet Engineering Task Force (IETF). IPSec provides for the following: encryption of the data part of packets, authentication to guarantee that packets come from valid sources, and encapsulation IPSec provides two security methods: Authenticated Headers (AH) and Encapsulating Security Payload (ESP). - AH is used to authenticate packets - ESP encrypts the data portion of packets IPSec can work in two different modes: transport mode and tunnel mode - Transport mode is used to provide secure communications between hosts over any range of IP addresses - Tunnel mode is used to create secure links between two private networks Tunnel mode is the obvious choice for VPNs; IPSec protocol by itself does not provide for user authentication - when combined with an authentication system like Kerberos, IPSec can authenticate users IPSec is commonly combined with IKE as a means of using public key cryptography to encrypt data between LANs or between a client and a LAN IKE provides for the exchange of public and private keys - can also determine which encryption protocols should be used to encrypt data
tunnel
the channel or pathway over a packet network used by the VPN that runs through the Internet from one end-point to another.
encryption and decryption outside the packet-filtering perimeter.
the firewall/VPN combination is configured to perform transport encryption. Packets are encrypted at the host as soon as they are generated. Already-encrypted packets pass through the packet filters at the perimeter of either LAN and are not filtered.
Symmetric keys
the keys are exactly the same. faster and more computationally efficient, more difficult to manage because each participant must have a copy of the secret key before communication can occur.
the same firewall may provide VPN services, or a separate VPN appliance may be used instead of a firewall-based VPN
the same firewall may provide VPN services, or a separate VPN appliance may be used instead of a firewall-based VPN Mangled packets can be dropped before they reach the firewall/VPN, thus providing additional protection for the destination LAN.
PPP Over SSL and PPP Over SSH
two UNIX-based methods for creating VPNs. combine an existing tunnel system (PPP) with a way of encrypting data in transport (SSL or SSH) PPP can be used to establish a connection between two hosts over an IP-based system. SSL is a public key encryption system used to provide secure communications over the World Wide Web SSH is the UNIX secure shell, which was developed when serious security flaws were identified in Telnet. - enables users to perform secure authenticated logons and encrypted communications between a client and host - requires that both client and host have a secret key in advance—a preshared key—in order to establish a connection.
VPN Combinations of Hardware and Software
use VPN systems that implement a VPN appliance at the central network and use client software at the remote end of each VPN connection VPN concentrator appliances give users the choice of operating in one of two modes: client mode or network extension mode
Mixed Vendor VPNs
uses hardware and software from different vendors. The challenge is to get all these pieces to communicate with one another successfully. pick a standard security protocol that is widely supported by all the devices, such as IPSec
Auditing and Testing the VPN
you need to test the VPN client on each computer that might use the VPN time-consuming prospect you can choose client software that is easy for end users to install on their own to save you time and effort. to check the VPN to make sure files are being transferred at an acceptable rate and that all parts of the VPN remain online when needed If part of the network goes down frequently, switch to another ISP , consider asking the various ISPs the following questions - How often does your network go offline? - Do you have back-up servers that will keep customers like me online if the primary server goes down? - Do you have back-up power supplies in case of a power outage? - How far are you from the network backbone? (Two or three hops is considered close; the closer to the backbone the ISP is, the faster the connection.)