Technical Paper. Branch Office Networking

Similar documents
Software Activation. high security remote access. NCP Secure Entry Client

Seamless Roaming in a Remote Access VPN Environment

Secure Friendly Net Detection Server. July 2006

How to access peers with different VPN through IPSec. Tunnel

VPN. Date: 4/15/2004 By: Heena Patel

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Cisco Which VPN Solution is Right for You?

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

NCP Secure Enterprise Management for Windows OS. New Features version 1.03 to 2.05

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

The Shift to Wireless Data Communication

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Via the Gas Pump into the Internet

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Nortel VPN Router Software Release V6_05.300

ZyWALL USG-Series. How to setup a Site-to-site VPN connection between two ZyWALL USG series.

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

VPN Tracker for Mac OS X

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Introduction to Security and PIX Firewall

SERVICE DESCRIPTION Wide Area Network

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

Automatic Hotspot Logon

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Remote Firewall Deployment

PRODUCTIVITY NETWORK, INC. Information Technology. VPN Overview

Security Solution Vendors 2015 Suppliers and solutions for network, data & storage, and endpoint security

21.4 Network Address Translation (NAT) NAT concept

Shrew Soft VPN Client Configuration for GTA Firewalls

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

IP Tunnels September 2014

WAN Data Link Protocols

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

NCP Secure Enterprise Management Next Generation Network Access Technology

SonicWALL Global Management System Configuration Guide Standard Edition

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Understanding the Cisco VPN Client

RackConnect User Guide

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Guideline for setting up a functional VPN

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

Configuring GTA Firewalls for Remote Access

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Configuring a BANDIT Product for Virtual Private Networks

Rethink Remote Access

IP VPN Solutions Secure, flexible networking options from a leader in IP solutions

Case Studies. Static p2p GRE over IPsec with a Branch Dynamic Public IP Address Case Study. Overview CHAPTER

How do I set up a branch office VPN tunnel with the Management Server?

Intranet Security Solution

Virtual Private Network and Remote Access

Executive Summary and Purpose

Data Sheet. NCP Secure Enterprise Management. General description. Highlights

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

VPN. VPN For BIPAC 741/743GE

Using IPsec VPN to provide communication between offices

High Level Overview of IPSec and MPLS IPVPNs

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

VPN Tracker for Mac OS X

Table of Contents. Cisco Cisco VPN Client FAQ

bintec Workshop WAN Partner Configuration Copyright November 8, 2005 Funkwerk Enterprise Communications GmbH Version 0.9

Connecting Remote Users to Your Network with Windows Server 2003

Experiment # 6 Remote Access Services

StoneGate Installation Guide

VPN Tracker for Mac OS X

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Innominate mguard Version 6

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Workflow Guide. Establish Site-to-Site VPN Connection using Digital Certificates. For Customers with Sophos Firewall Document Date: November 2015

Katana Client to Linksys VPN Gateway

GNAT Box VPN and VPN Client

Based on the VoIP Example 1(Basic Configuration and Registration), we will introduce how to dial the VoIP call through an encrypted VPN tunnel.

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

7.1. Remote Access Connection

Advanced Higher Computing. Computer Networks. Homework Sheets

How To Configure L2TP VPN Connection for MAC OS X client

PERSONAL FIREWALL SHOWDOWN: SOFTWARE VERSUS APPLIANCE

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Cisco Integrated Services Routers Performance Overview

NCP Secure Enterprise Management Next Generation Network Access Technology

The Industrial Wireless Book - Articles TECHNICAL ARTICLE: USING GPRS TO CONNECT SMALL, OUTLYING STATIONS

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Connecting Remote Offices by Setting Up VPN Tunnels

Accessing BlackBerry Data Services Using Wi-Fi Networks

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Virtual Private Networks

GajShield UPTM Certification Module 4. GajShield Infotech Pvt Ltd

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

Polycom. RealPresence Ready Firewall Traversal Tips

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Configuring IPsec VPN between a FortiGate and Microsoft Azure

IP Ports and Protocols used by H.323 Devices

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Transcription:

Technical Paper Branch Office Networking

Network Communications Products engineering USA: NCP engineering, Inc. 444 Castro Street, Suite 711 Mountain View, CA 94041 Tel.: +1 (650) 316-6273 Fax: +1 (650) 251-4155 Germany: NCP engineering GmbH Dombuehler Str. 2 D-90449 Nuremberg Tel.: +49 (911) 9968-0 Fax: +49 (911) 9968-299 Internet http://www.ncp-e.com Email info@ncp-e.com Support NCP offers support for all international users by means of Fax and Email. Email Addresses helpdesk@ncp-e.com support@ncp-e.com (English) (German) Fax +1 (650) 251-4155 (USA) +49 (911) 9968-458 (Europe) When submitting a support request, please include the following information: exact product name serial number version number an accurate description of your problem any error message(s) Copyright While considerable care has been taken in the preparation and publication of this manual, errors in content, typo-graphical or otherwise, may occur. If you have any comments or recommendations concerning the accuracy, then please contact NCP. NCP makes no representations or warranties with respect to the contents or use of this manual, and explicitly disclaims all expressed or implied warranties of merchantability or suitability of use for any particular purpose. Furthermore, NCP reserves the right to revise this publication and to make amendments to the contents, at any time, without obligation to notify any person or entity of such revisions or changes. This manual is the sole property of NCP and may not be copied for resale, commercial distribution or translated to another language without the express written permission of NCP engineering GmbH. All trademarks or registered trademarks appearing in this manual belong to their respective owners. 2014 NCP engineering GmbH, All rights reserved. Page 2 of 7

What is required for secure and efficient networking of branch offices and the company headquarters? A site-to-site VPN is used to connect independent networks, for example, for branch office networking. In most cases this means that the branch office networks are connected to the network of the company headquarters. Another possibility is machine-tomachine (M2M) networking. In this case it is machines that communicate with the central gateway. In all cases VPN gateways are used. They establish a connection to the Internet, then they encode and authenticate the IP user data for transmission and tunnel it through the Internet. IPsec is the VPN protocol that is most frequently used for these types of connection. This article discusses aspects of branch office networking that are frequently disregarded during planning or extending site-to-site VPNs. However, these aspects cause problems none the less. Types of networks Meshed or star-shaped networks are the two options for branch office networking. With meshed networks, the branch offices are not only connected to the headquarters but also amongst each other. With star-shaped networks, however, all communication between the branch offices is channeled through one central VPN gateway. This results in higher latency in communication between the branch offices. However, a clear advantage of star-shaped networks is that IT administrators control the whole network via one central monitoring system. Hence, star-shaped networks allow for real time detection and locating communication faults between the branch offices. However, this requires a central VPN management system. Should communication faults occur in the crosslinks of a meshed network, however, locating them is much more difficult. If a network, for example, contains 100 branch offices, controlling this network would cause substantial extra effort. High Availability The criteria of availability differ, depending on which branch offices are connected to the main network. This means high availability has to be guaranteed for branch offices which must not break down; common examples are branch offices of banks and their ATM's or checkout systems of retail chains. In order to guarantee high availability, professional VPN systems support several backup systems. Monitoring the VPN connection is a basic requirement for being able to carry out backups. One method of connection monitoring is DPD (Dead Peer Detection- RFC). On top of that, the VPN gateway of the branch office should support several alternative media types (communication mediums) for Internet dial up. The VPN solution should be able to automatically recognize a communication fault with a remote side. If it does, the VPN gateway disconnects the standard connection automatically a sets up an alternative backup link. Most modern VPN software solutions support infinite backup connections. With these solutions, the restricting factor is the number of communication mediums the hardware supports. Page 3 of 7

Central Management A central VPN management system is required for effective networking of branch offices. Even if there are only a few branch offices, the time and money that has to be spent on local network administration is out of proportion. With M2M, such kind of administration this is hardly possible. Central management automates management of remote / branch office VPN gateways. The more VPN relevant systems the central management contains, the simpler and more manageable the network becomes for administrators. Apart from configuration and software update management the following tasks should be included into the management software, too: management of digital software or hardware certificate (CA) rollout, an LDAP console for identity and rights management as well as security monitoring of the end-devices (Network Access Control / Endpoint Security). Image 1: Multiple VPN Management Console Page 4 of 7

A VPN system secures all data transfers in an encrypted tunnel. However, sealing of the communication has to take place as early as Internet dial up, which is the most frequent point of vantage of hacker attacks. The core problem is how the branch offices authenticate towards the central gateway. One possibility for authentication are preshared keys, another is the use of certificates. For security reasons certificates are the better option, because they can be adapted. This means old certificates can be locked and new ones can be issued. Certificate handling has to be organized; i.e. if one certificate expires, the VPN management should offer automatisms that request and issue new certificates. At times, a further security requirement is simply overlooked: The firewall must only allow IPsec connections. Usually branch offices connect to the Internet via a DSL router. This router protects the VPN gateway. Some VPN gateways also support the communication medium PPPoE. This means, the gateway can directly be used for DSL dialup and a DSL router becomes obsolete. In this case, too, the firewall must only allow IPsec connections. Maintenance of the branch offices' VPN gateway can also be possible by direct dial up via ISDN - not via the Internet. Masking Administrators frequently demand access to all end-devices. They either want to access them from the headquarters or from the management system. Their demand is legitimate from their point of view. On the other hand it is easier to exclude the branch offices' IP networks and to mask them for communication with the headquarters. Masking means, they are hidden behind an address. However, these two demands contradict each other. If administrators have to access all branch office networks transparently, it is essential that each branch office network receives its own, unique IP address range (if it does not have one, yet). At the same time, this means that all installed routers and enddevices have to be configured again. This might be feasible for small networks, however, in larger network environments time and money IT administrators have to spent on this task is enormous. The administrator has to take care that the corresponding routes are known at the central side. Some VPN gateways dynamically publish the routing information, when a connection is set up. If transparent access is not absolutely essential, masking the IP addresses via Network Address Translation (NAT) is a viable solution. This means, the IP address is changed into a VPN tunnel IP address, which the host or the central VPN management system recognizes and automatically allocates to the branch office not to the end-device. This significantly reduces time and money spent on configuration and rollout. Page 5 of 7

Image 2: Masking (NAT) or transparent branch office access This means, companies have to choose between masking and access to all enddevices. The latter comes with increased administration effort for the branch offices. Of course, mixed operation is possible, too. Fragmenting and Maximum Transmission Unit (MTU) A further problem, which occurs, is the size of the data packets when communicating via different Internet dial-up media. For example, DSL allows for packet sizes of 1492 Byte. Frequently VPN data packets, which the branch office VPN gateway sends to the router via DSL, are larger than 1492 Byte. This results in fragmented VPN IPsec data packets as default. However, this fragmentation has a negative effect at IP level, since various routers do not accept fragmented IPsec packets. They do not forward such data packets and the data is lost. This problem can be combated with pre-fragmentation. This process does not fragment the IPsec packets but fragments the data packets prior to tunneling, which means, the IPsec tunnel header is added after fragmentation. With this method, the system only sends non-fragmented data packets that the Internet router / firewall accepts. Page 6 of 7

Modern professional VPN solutions provide this intelligent method of dynamic reduction of the MTU. Such VPN gateways are able to automatically adapt the packet size of TCP connections to the defined size prior to connection set up. Enforced 24h disconnect for DSL connections 24h disconnect is immaterial for site-to-site VPNs. However, during "peak times" a permanent connection has to remain established. Most providers automatically carry out the enforced 24h disconnect 24 hours after the first connection setup. This means that the administrator has to pay attention as early as VPN installation that the VPN gateway offers a feature that allows the administrator to set the time of the enforced 24h disconnect. Branch office structure is decisive All aspects discussed above should be taken into consideration when implementing a site-to-site VPN installation. In most cases it is only details that make branch office networking become difficult, even if it has been in place for years. Most VPN gateways are suitable for simple standard networks, however, administration and management tools separate the wheat from the chaff. Page 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information