Intranet Security Solution



Similar documents
Cisco Which VPN Solution is Right for You?

L2F Case Study Overview

Firewalls and Virtual Private Networks

VPN. Date: 4/15/2004 By: Heena Patel

Virtual Private Networks Solutions for Secure Remote Access. White Paper

Creating a VPN Using Windows 2003 Server and XP Professional

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

Configure ISDN Backup and VPN Connection

VPN. VPN For BIPAC 741/743GE

Virtual Private Networks

How Virtual Private Networks Work

Connecting Remote Users to Your Network with Windows Server 2003

PPTP Server Access Through The

Secured Voice over VPN Tunnel and QoS. Feature Paper

VPN VPN requirements Encryption VPN-Types Protocols VPN and Firewalls

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Chapter 4: Security of the architecture, and lower layer security (network security) 1

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Overview. Protocols. VPN and Firewalls

Virtual Private Network and Remote Access Setup

Internet Privacy Options

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

Virtual Private Network and Remote Access

Quidway MPLS VPN Solution for Financial Networks

CS 393/682 Network Security. Nasir Memon Polytechnic University Module 7 Virtual Private Networks

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

November Defining the Value of MPLS VPNs

AN OVERVIEW OF REMOTE ACCESS VPNS: ARCHITECTURE AND EFFICIENT INSTALLATION

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Quidway AR 18-1X Series Router Datasheet

MCTS Guide to Microsoft Windows 7. Chapter 14 Remote Access

Internet Protocol: IP packet headers. vendredi 18 octobre 13

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Technical papers Virtual private networks

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

Chapter 5. Data Communication And Internet Technology

MPLS L2VPN (VLL) Technology White Paper

The next generation of knowledge and expertise Wireless Security Basics

Virtual Private Networks

This chapter describes how to set up and manage VPN service in Mac OS X Server.

WAN. Introduction. Services used by WAN. Circuit Switched Services. Architecture of Switch Services

CTS2134 Introduction to Networking. Module 07: Wide Area Networks

VPN PPTP Application. Installation Guide

WAN Technology. Heng Sovannarith

IBM enetwork VPN Solutions

Quidway SVN3000 Security Access Gateway

ISG50 Application Note Version 1.0 June, 2011

How to configure VPN function on TP-LINK Routers

Verizon Wireless White Paper. Verizon Wireless Broadband Network Connectivity and Data Transport Solutions

How to configure VPN function on TP-LINK Routers

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Backbone. Taking a Peek Into Virtual Private Networks POP. Internet

Howto: How to configure static port mapping in the corporate router/firewall for Panda GateDefender Integra VPN networks

VIRTUAL PRIVATE NETWORKS: SECURE REMOTE ACCESS OVER THE INTERNET

Understanding the Cisco VPN Client

Wireless Encryption Protection

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

VPN L2TP Application. Installation Guide

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Enterprise Edge Communications Manager. Data Capabilities

7.1. Remote Access Connection

Gigabit Content Security Router

Windows Server 2003 Remote Access Overview

Chapter 10 Security Protocols of the Data Link Layer

Deploying IP-based Virtual Private Network Across the Global Corporation

SonicWALL PCI 1.1 Implementation Guide

Joe Davies Principal Writer Windows Server Documentation

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

Secure Network Design: Designing a DMZ & VPN

Electronic Service Agent TM. Network and Transmission Security And Information Privacy

How Virtual Private Networks Work

WAN Data Link Protocols

How To Configure Apple ipad for Cyberoam L2TP

Application Note: Onsight Device VPN Configuration V1.1

RA-MPLS VPN Services. Kapil Kumar Network Planning & Engineering Data. Kapil.Kumar@relianceinfo.com

Network Services Internet VPN

MP PLS VPN MPLS VPN. Prepared by Eng. Hussein M. Harb

Cisco Networks (ONT) 2006 Cisco Systems, Inc. All rights reserved.

GPRS / 3G Services: VPN solutions supported

Matrix Technical Support Mailer 167 NAVAN CNX200 PPTP VPN with Windows Client

Post-Class Quiz: Telecommunication & Network Security Domain

ProCurve Networking by HP Student guide Technical training. WAN Technologies Version 5.21

Service Managed Gateway TM. How to Configure a T1/E1 Connection

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

1.1. Abstract VPN Overview

VPN s and Mobile Apps for Security Camera Systems: EyeSpyF-Xpert

Module 10: Supporting Remote Users

Mobile office opportunities

Small Business Server Part 2

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

How to access peers with different VPN through IPSec. Tunnel

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

IP Tunneling and VPNs

Introduction of Quidway SecPath 1000 Security Gateway

RAS Associates, Inc. Systems Development Proposal. Scott Klarman. March 15, 2009

Cornerstones of Security

Scenario: IPsec Remote-Access VPN Configuration

CS419: Computer Networks. Lecture 9: Mar 30, 2005 VPNs

Tunnel Routing. Preface. Challenge

Transcription:

Intranet Security Solution 1. Introduction With the increase in information and economic exchange, there are more and more enterprises need to communicate with their partners, suppliers, customers or their branches in different places through intranet. There are some specific requirements of intranet network. For example, it needs WAN link and backup line for the connection, data and voice integration transmission, high reliability of the network and low cost for the TCO. Because of the requirement of information security and control, it needs some features listed and explained as follows. Information Hiding It is unnecessary to use real identity to communicate with the opposite side. With network address translation, users can access exterior networks with public address only (with interior address hidden). Except for connection initiated by the interior network, exterior users cannot access interior resources directly through address translation. Data Encryption Data transmission in the public network cannot be free from wiretapping. In order to avoid information leakage caused by data wire tapping, it is necessary to encrypt the transmitted information, with only the opposite in communication having the right to decrypt it. With encryption on the transmitted message by router, data will be guaranteed with privacy and integrality as well as message content reality even transmitted on the Internet. For VPN built on public network, data encryption can ensure security of messages in tunnel transmission.

2. Technologies of Quidway Series Routers Quidway series routers provide abundant features used for the Intranet connection including different WAN interface, user authentication, authorization and data protection, QoS and VPN. 2.1. Backup Center In order to promote network reliability, Quidway series routers brings out proper concept of backup center. The backup center has the following characteristics. - It can provide backup interface for any interface of the router except the dialing interface. - Any interface of the router can be used as backup interface of other interface or logical link. - It can provide backup for certain logical link of an interface. The backup interface can be either an interface or certain logical channel of the interface. Here the logical channel may be virtual circuit of X.25, frame relay, ATM and ADSL or certain dialer map of the dialing interface. - One master interface may have multiple backup interfaces. When the master one breaks off the multiple backup interfaces will be in substitute according to their PRI. - Interfaces with multiple physical channels (such as interfaces of BRI and PRI) can provide backup for multiple master interfaces. - The master and backup interfaces can share load. When flow of the master interface reaches the threshold, backup interface will be started up. The backup interface will be closed if flows of the master and backup interfaces are lower than another configured threshold. 2.2. AAA (Authentication, Authorization, Accounting) AAA provides user authentication, authorization and accounting. - Authentication: user (including login user and PPP access user etc) should be authenticated before being allowed to access network resources. The authentication may adopt either user database maintained by the router itself or the user database maintained by RADIUS server. - Authorization: it uses a group of attributes to describe user authorization information in order to determine practical access authorizations of users. The authorization information is stored in the database maintained by RADIUS. For access users, the attribute of "filterid" can be used to decide which type of principles should be adopted to filter user messages. - Accounting: it allows tracking and auditing on network resources accessed by user. After accounting function of AAA is opened, the network access server will send user activity information to RADIUS server in certain charging format. The information will be saved on the server, used for analysis on network operation and creating user bills etc.

AAA provides a mainframe of identity authentication and access control. It utilizes protocols of RADIUS, TACACS+ and Kerberos to realize network access control. Quidway series routers apply RADIUS protocol, which is in most expansive use. 2.3. VPN VPN (Virtual Private Network) develops rapidly with the Internet. Modern enterprises utilize more and more Internet resources for sales promotion, marketing, after-sale service, training and cooperation, etc. Many enterprises are inclined to replace their private data network with the Internet. Compared with original Intranet, VPN is a logical network using virtual links of the Internet to transmit private information. Let's take this enterprise as an example. The interior network set up on VPN is shown as Figure 1. Figure 1 VPN application As shown in the figure, interior resources occupier is connected to POP (Point of Presence) server of local ISP through PSTN for mutual communication. If adopting traditional WAN technology, dedicated line must be placed to achieve the same objective. With VPN employees on errands and distant customers can access enterprise interior resources without access authorization of local ISP. This is very important for fluid employees on errands and customers in extensive distribution. To set up VPN, an enterprise simply put a server supporting VPN (such as a router supporting VPN) at the place of resources sharing. After connecting to local POP server through PSTN resources occupier will directly call remote VPN server of the enterprise, with the same call manner as that of PSTN connection. The left work will be completed by NAS (Network Access Server) of ISP.

Figure 2 VPN access NAS mainly uses tunneling technology, which aims at transmitting one type of packets in another type of network. As shown in Figure 2, user dials in NAS of ISP through PSTN. NAS identifies the user of VPN user through username or access number and sets up connection (tunnel) with destination VPN server of the user. User message will be encapsulated into IP packet and transmitted to VPN server from the tunnel. After receiving the packet VPN server will unpack it and read the content. The reverse process is similar. Both ends of the tunnel can encrypt the packet so that other users of the Internet cannot read it. As to user the tunnel is logical extension of PSTN link, with the same operation as that of physical link. Protocols supporting tunneling in layer-2 include PPTP (Point-to-Point Tunneling Protocol), L2F (Layer-2 Forwarding) and L2TP (Layer-2 Tunneling Protocol). L2TP integrates advantages of the former two protocols, accepted by enormous companies. Tunneling protocols in layer-3 include IPSec and GRE. IPSec can guarantee data security of transmitted private information by encryption. For more details please refer to next section. Quidway series routers support L2TP, IPSec and GRE. 3. Solutions 3.1. SMB Solution Considering of branches in different locations, Quidway series routers provide interconnection solution for security Intranet construction (as shown in Figure 3). Interconnection through DDN dedicated line belongs to traditional Intranet solution of different branches. However, with the development of enterprise with various branches over the world, security problem of remote data transmission between LANs is attracting more and more sights. IPSec of Quidway series routers provides data protection, which can guarantee privacy, integrality and reality of data in remote interconnection of different branches so as to implement secure Intranet. Similarly, as shown in Figure 3, it can also apply packet filtering and NAT to realize interior security of LANs. This is very important for institutions such as bank. For example, the bank headquarters settles with branches in specified time period only, which can be realized by duration packet filtering.

Figure 3 SMB solution of Quidway series routers 3.2. Large Enterprise Solution It is very expensive to interconnect branches through DDN dedicated line so it can satisfy neither demand of large-scale organization nor demand of employee on errand accessing interior network. Quidway router supports tunneling technologies of GRE and L2TP, utilizing public network to set up VPN to make up for the above shortage. However, these tunneling protocols cannot provide corresponding data security guarantees because they do not provide encryption protection. For example, L2TP may take authentication algorithm such as MD5 in channel negotiation but have neither encryption nor authentication on data transmission so that it is easy to be wiretapped. When combined with IPSec it is able to encrypt message to realize secure VPN. Yet IPSec can implement secure VPN independently. Security VPN solution of Quidway router is shown in Figure 4. - Employees on errand can access the headquarters through local Internet. - Offices and branches interconnect with the headquarters through GRE or IPSec, with data encrypted in transmission. - Branches can interconnect with each other or the Internet through NAT.

Figure 4 Large enterprise solution of Quidway series routers

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information