VPN Lesson 2: VPN Implementation. Summary



Similar documents
Cornerstones of Security

INTRODUCTION TO FIREWALL SECURITY

- Introduction to PIX/ASA Firewalls -

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Solution of Exercise Sheet 5

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

VPN. Date: 4/15/2004 By: Heena Patel

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Wireless Encryption Protection

The next generation of knowledge and expertise Wireless Security Basics

Secure Network Design: Designing a DMZ & VPN

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

VPN vs Port Forwarding

Using a VPN with Niagara Systems. v0.3 6, July 2013

Overview. Firewall Security. Perimeter Security Devices. Routers

M2M Series Routers. Port Forwarding / DMZ Setup

Case Study for Layer 3 Authentication and Encryption

Scenario: IPsec Remote-Access VPN Configuration

Security Awareness. Wireless Network Security

Accessing the Media General SSL VPN

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Computer Networks. Secure Systems

8 Steps for Network Security Protection

8 Steps For Network Security Protection

Security Technology: Firewalls and VPNs

Connecting an Android to a FortiGate with SSL VPN

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

How To Pass The Information And Network Security Certificate

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Linksys E2500 Wireless-N Router Configuration Guide

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

Scenario: Remote-Access VPN Configuration

V310 Support Note Version 1.0 November, 2011

OBM (Out of Band Management) Overview

Compter Networks Chapter 9: Network Security

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Lecture 23: Firewalls

7.1. Remote Access Connection

SGUL VPN Connection Guide for Windows 10

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

IINS Implementing Cisco IOS Network Security Exam.

Cisco Virtual Office Express

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

Ti m b u k t up ro. Timbuktu Pro Enterprise Security White Paper. Contents. A secure approach to deployment of remote control technology

CSCE 465 Computer & Network Security

Cisco PIX vs. Checkpoint Firewall

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Securing Networks with PIX and ASA

Basics of Internet Security

A Model Design of Network Security for Private and Public Data Transmission

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

12. Firewalls Content

ipad Installation and Setup

Configuring Routers and Their Settings

For paid computer support call

Using a VPN with CentraLine AX Systems

RAP Installation - Updated

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Configuring Security Solutions

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Tutorial 3. June 8, 2015

SNMP SECURITY A CLOSER LOOK JEFFERY E. HAMMONDS EAST CAROLINA UNIVERSITY ICTN 6865

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

How To Connect To A University Of Cyprus Vpn 3000 From Your Computer To A Computer With A Password Protected Connection

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Guideline for setting up a functional VPN

Introduction to Computer Security

Internet Services. Amcom. Support & Troubleshooting Guide

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Who Moved My Firewall. Clinton Thomson Derivco (PTY) Ltd

Firewall VPN Router. Quick Installation Guide M73-APO09-380

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

21.4 Network Address Translation (NAT) NAT concept

Lecture 17 - Network Security

Virtual Private Networks

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Network Access Security. Lesson 10

How To Connect To Ecs.Org From A Pc Or Mac Or Ipad (For A Laptop) With A Network Connection (For Mac) With The Ipad Or Ipa (For Pc Or Ipac) With An Ipa Or Ip

Tech Titans: Lock it down, securing your Costpoint 7 deployments. Drew Roman, IT Solutions Director WJ Technologies L.L.C. GC-518

Virtual Private Network and Remote Access Setup

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

REMOTE ACCESS VPN NETWORK DIAGRAM

Transcription:

VPN Lesson 2: VPN Implementation Summary 1

Notations VPN client (ok) Firewall Router VPN firewall VPN router VPN server VPN concentrator 2

Basic Questions 1. VPN implementation options for remote users or sites 2. VPN implementation options for corporate main network 3. How does a remote access VPN work? How to implement the VPN client and the VPN server? When the remote user sends a message to the corporate network, What is done in Step 1? What is done in Step 2? Step 3? 4. How does a site to site VPN work? Overview the things that a VPN router can do When a host at one site sends a message to the other site, What is done in Step 1? What is done in Step 2? Step 3? 3

Remote Access VPN DMZ AAA e.g. Cisco VPN Concentrator 4

Step by Step Operations Alice, employee, is traveling in CA Her laptop: 200.200.1.2 (dynamic IP) Real app server: 130.128.2.3 (port 126) VPN server: 130.128.1.99 (port 89) AAA server: 130.128.22.22 (port 212) 5

Assume Alice wants to get a service: access a file Step 1: If Alice constructs the request packet as follows, her request will be denied Source IP: 200.200.1.2 Dest IP: 130.128.2.3 (real app server) Source port: Dest Port: 126 Other fields: Reason: no direct access to real server from outside; 6

To solve this problem Stage 1: Alice laptop establishes a TCP handshake with the VPN server First packet: Source IP: 200.200.1.2 Dest IP: 130.128.1.99 Second packet: VPN server to the VPN client program running on Alice laptop 3 rd packet: ack from client to VPN server Stage 2: authentication Client sends encrypted password and username to VPN server 7

Stage 2 Stage 2: However, VPN server CANNOT authenticate So, VPN server forwards the password to the AAA server (through a separate TCP session) The AAA server checks the password The AAA server sends YES message to VPN server; in addition, AAA server will tell the VPN server that Alice has permission to access the real server VPN server tells the client through the first TCP session that Alice is authenticated 8

Cont d Stage 2: VPN server: I can serve you. VPN server: but, we need to encrypt everything Client: fine, VPN server: which encryption algorithm you want to use? Client: how about AES 1.0 with IV (initial vector) value XXXX VPN server: agree VPN server: which session key? Client: will pick a key; encrypt the key with the public key of the VPN server; send the key to VPN server VPN server: the key is a good key 9

Stage 3 Stage 3: do the business VPN server: I know the session key; now I am ready to serve you VPN server: hi, which app server you want to access Client: 130.128.2.3 VPN server: good, let me establish a TCP session with the real server VPN server will do 3 way handshake with the real server: 3 steps; 3 packets 10

Cont d VPN server: which service request you want to send to the real server? Client program: encrypts the first service request using the session key; sends the packet to VPN server VPN server decrypts the packet and gets the 1 st request VPN server forwards this request to the real server through the 3 rd TCP session 11

Cont d The real server gets it The real server processes the request The real server sends the result to VPN server via the 3 rd TCP session The VPN server encrypts the result The VPN server sends the encrypted result to client via the 1 st TCP session The client decrypts The client program shows the result to Alice 12

Cont d The client sends 2 nd request out VPN server gets it; decrypts it; VPN server sends it to real server Real server processes it Real server sends back results to VPN server VPN server encrypts VPN server sends to client Client decrypts Client shows the result to Alice 13

VPN implementation options for remote users or sites Software VPN clients like PSU client Hardware VPN clients (a small box) Remote site firewalling 14

Site to Site VPN 15

Site to Site VPN VPN router: support heavy duty site to site VPN traffic Target speed: Gigabit throughput Not designed for remote access VPN In standard setting, no employee desktop needs to encrypt or decrypt anything; all the encryption/decryption is done by the VPN routers The two VPN routers will negotiate the key 16

Summary VPN facilities used by a site VPN firewall: a firewall armed with basic VPN capability: encryption, key management Slow; less powerful Suitable for small sites VPN router: support heavy duty site to site VPN traffic Target speed: Gigabit throughput Not designed for remote access VPN VPN concentrator: designed for remote access VPN Heavy duty: support 10,000 simultaneous remote users Has no routing capability: should stay behind a router 17

VPN implementation options for corporate main network Dedicated VPN server for remote access Hardware to hardware firewalls VPN routers to route traffic and terminate sessions For a VPN firewall does that mean that the VPN firewall encrypts traffic? Is there an advantage to doing that over a VPN concentrator? Hardware is quicker than software, putting together can separate which handles more traffic, but putting together saves money. could adding VPN slow down firewall? Yes Will VPN significantly slow down firewall? VPN always slows down firewall Could a rule be set up to allow VPN packets to pass through? Still need decryption 18

How does a remote access VPN work? User would have an established internet connection, has software client installed, creates a tunnel over the public internet Not a replacement for other security measures once it s through the concentrator it s no longer secure Using personal systems to connect to a VPN could allow already compromised systems on to the secured network VPN server decrypts data and sends to application 19

How to implement the VPN client and the VPN server? A VPN client is just a software program installed Does the concentrator actually have routing capabilities or does it only decrypt? Concentrator knows where the application server is VPN router does it need to be separate from the usual router? You pay extra for the VPN capabilities it s the same hardware device with an added VPN plug in card VPN Concentrator is behind router What is the biggest difference between VPN concentrator & VPN router & VPN firewall & router & firewall? VPN Concentrator does not do routing VPN router is a router that can implement only the most popular VPN functionalities can satisfy most applications VPN firewalls are very similar to VPN routers, since a router typically does firewalling A pure firewall does not support VPN Is the concentrator vulnerable to attacks? Concentrator only handles VPN traffic forwards everything to the application server Concentrator behind router no need for anything other than decryption 20

Concluding Question What is the biggest difference between VPN concentrator & VPN router & VPN firewall & router & firewall? VPN Concentrator does not do routing VPN router is a router that can implement only the most popular VPN functionalities (encryption, key negotiation) VPN firewalls vs. VPN routers Firewalls and routers do different jobs In real products, you see a combo equipment A pure firewall does not support VPN 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information