Find Network Internet Security Author @ Amazon.com
|
Overview This article discusses galore necessary technical conceptions related with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business collaborators using the Internet and secures encrypted tunnels amidst locations. An Access VPN is applied to connect remote users to the enterprise network. The remote workstation or laptop will use an access circuit such as Cable, DSL or Wireless to connect to a local Internet Service Provider (ISP). With a client-initiated model, software on the remote workstation builds an encrypted tunnel from the laptop to the ISP using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The user ought to authenticate as a permitted VPN user with the ISP. Once that is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee that is permitted access to the company network. With that finished, the remote user must then authenticate to the local Windows domainname server, Unix server or Mainframe host depending upon where there network account is located. The ISP initiated model is less secure than the client-initiated model since the encrypted tunnel is built from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is built with L2TP or L2F. The Extranet VPN will connect business collaborators to a company network by building a secure VPN connection from the business collaborator router to the company VPN router or concentrator. The specific tunneling protocol used depends upon whether it is a router connection or a remote dialup connection. The choices for a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will implement L2TP or L2F. The Intranet VPN will connect company offices throughout a secure connection using the same routine with IPSec or GRE as the tunneling protocols. It is indispensable to note that what makes VPN’s very cost effective and effective is that they leverage the existent Internet for transporting company traffic. That is why numerous companies are selecting IPSec as the security protocol of choice for guaranteeing that data is secure as it travels amongst routers or laptop and router. IPSec is comprised of 3DES encryption, IKE key interchange authentication and MD5 route authentication, which provide authentication, authorization and confidentiality. Internet Protocol Security (IPSec) IPSec operation is worth noting since it such a prevalent security protocol used today with Virtual Private Networking. IPSec is specified with RFC 2401 and developed as an open ordinary for secure transport of IP throughout the public Internet. The packet structure is comprised of an IP header/IPSec header/Encapsulating Security Payload. IPSec provides encryption services with 3DES and authentication with MD5. In addition there is Internet Key Exchange (IKE) and ISAKMP, which automate the distribution of mystery keys amongst IPSec peer appliances (concentrators and routers). Those protocols are required for negotiating one-way or two-way security associations. IPSec security associations are comprised of an encryption algorithm (3DES), hash algorithm (MD5) and an authentication method (MD5). Access VPN implementations implement 3 security associations (SA) per connection (transmit, receive and IKE). An enterprise network with a heap of IPSec peer gadgets will apply a Certificate Authority for scalability with the authentication routine rather of IKE/pre-shared keys. Laptop – VPN Concentrator IPSec Peer Connection 1. IKE Security Association Negotiation 2. IPSec Tunnel Setup 3. XAUTH Request / Response – (RADIUS Server Authentication) 4. Mode Config Response / Acknowledge (DHCP and DNS) 5. IPSec Security Association Access VPN Design The Access VPN will leverage the availability and low cost Internet for connectivity to the company core office with WiFi, DSL and Cable access circuits from local Internet Service Providers. The main issue is that company info must be protected as it travels all over the Internet from the telecommuter laptop to the company core office. The client-initiated model will be used which builds an IPSec tunnel from each client laptop, which is terminated at a VPN concentrator. Each laptop will be set up with VPN client software, which will run with Windows. The telecommuter must primary dial a local access number and authenticate with the ISP. The RADIUS server will authenticate each dial connection as an authorized telecommuter. Once that is finished, the remote user will authenticate and authorize with Windows, Solaris or a Mainframe server before starting any applications. There are dual VPN concentrators that will be setup for fail over with virtual routing redundancy protocol (VRRP) must one of them be unavailable. Each concentrator is connected amidst the external router and the firewall. A new feature with the VPN concentrators prevent denial of service (DOS) attacks from outside hackers that could affect network availability. The firewalls are set up to permit source and destination IP addresses, which are assigned to each telecommuter from a pre-defined range. As well, any application and protocol ports will be permitted through the firewall that is required. Extranet VPN Design The Extranet VPN is designed to concede secure connectivity from each business collaborator office to the company core office. Security is the important focus since the Internet will be applied for transporting all data traffic from each business partner. There will be a circuit connection from each business collaborator that will terminate at a VPN router at the company core office. Each business collaborator and it is peer VPN router at the core office will utilize a router with a VPN module. That module provides IPSec and high-speed hardware encryption of packets before they are transported all over the Internet. Peer VPN routers at the company core office are dual homed to dissimilar multilayer switches for link diversity must one of the links be unavailable. It is necessary that traffic from one business collaborator doesn’t end up at another business collaborator office. The switches are located among external and internal firewalls and applied for connecting public servers and the external DNS server. That isn’t a security issue since the external firewall is filtering public Internet traffic. In addition filtering may be enforced at each network switch as well to prevent routes from being advertised or vulnerabilities exploited from having business collaborator connections at the company core office multilayer switches. Separate VLAN’s will be assigned at each network switch for each business collaborator to improve security and segmenting of subnet traffic. The tier 2 external firewall will thoroughly question each packet and permit those with business collaborator source and destination IP address, application and protocol ports they require. Business collaborator sessions will have to authenticate with a RADIUS server. Once that is finished, they will authenticate at Windows, Solaris or Mainframe hosts before starting any applications. |
