This short article covers some crucial technical principles associated with VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and partners using the web and secures encrypted tunnels between locations. An Access VPN can be used to connect remote users to the enterprise network. The remote workstation or laptop will use an access circuit including Cable, DSL or Wireless for connecting to a local Internet Provider (ISP). Having a client-initiated model, software on the remote workstation builds an encrypted tunnel from the laptop to the Internet service provider using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The consumer must authenticate as a permitted VPN user with the ISP. Once which is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host depending upon where there network account is located. The Internet service provider initiated model is less secure compared to the client-initiated model because the encrypted tunnel is made from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is made with L2TP or L2F.
The Extranet VPN will connect business partners to some company network by building a secure VPN connection from the business partner router to the company VPN router or concentrator. The precise tunneling protocol utilized is dependent upon whether it be a router connection or perhaps a remote dialup connection. The options to get a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a secure connection utilizing the same process with IPSec or GRE as the tunneling protocols. You should note that what makes VPN’s very cost effective and efficient is because they leverage the current Internet for transporting company traffic. That is why most companies are selecting IPSec because the security protocol of choice for guaranteeing that information is secure because it travels between routers or laptop and router. IPSec includes 3DES encryption, IKE key exchange authentication and MD5 route authentication, that provide authentication, authorization and confidentiality.
Internet Protocol Security (IPSec) – IPSec procedure will be worth mentioning because it such a common security process utilized nowadays with Virtual Private Networking. IPSec is specified with RFC 2401 and developed as being an open regular for safe carry of Ip address throughout the public Web. The package framework includes an IP header/IPSec header/Encapsulating Protection Payload. IPSec offers file encryption services with 3DES and authentication with MD5. In addition there is certainly Internet Key Exchange (IKE) and ISAKMP, which automate the distribution of secret keys between IPSec peer devices (concentrators and routers). Those practices are essential for negotiating a single-way or two-way security organizations. IPSec security organizations consist of an file encryption algorithm (3DES), hash algorithm criteria (MD5) and an authorization technique (MD5). Accessibility VPN implementations utilize 3 protection associations (SA) for each link (transmit, get and IKE). An enterprise network with a lot of IPSec peer devices will use a Certificate Power for scalability with all the authorization process instead of IKE/pre-shared secrets.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and low cost Internet for connectivity to the company core office with WiFi, DSL and Cable access circuits from local Internet Companies. The key problem is that company data should be protected as it travels throughout the Internet through the telecommuter laptop for the company core office. Your client-initiated model is going to be utilized which builds an IPSec tunnel from each client laptop, which is terminated with a VPN concentrator. Each laptop will likely be configured with VPN client software, that can run with Windows. The telecommuter must first dial the local access number and authenticate with the ISP. The RADIUS server will authenticate each dial connection as being an authorized telecommuter. Once that is finished, the remote user will authenticate and authorize with Windows, Solaris or even a Mainframe server before starting any applications. You can find dual VPN concentrators that might be configured for fail over with virtual routing redundancy protocol (VRRP) should one of them be unavailable.
Each concentrator is connected in between the external router as well as the firewall. A whole new feature with the VPN concentrators prevent denial of service (DOS) attacks from the outside hackers that could affect network availability. The firewalls are configured to permit source and destination IP addresses, which can be allotted to each telecommuter from the pre-defined range. As well, any application and protocol ports will likely be permitted through the firewall that is needed.
Extranet VPN Design – The Extranet VPN is designed to allow secure connectivity from each business partner office towards the company core office. Security is the primary focus considering that the Internet will be utilized for transporting all data traffic from each business partner. You will see a circuit connection from each business partner which will terminate at a VPN router at the company core office. Each business partner and its peer VPN router at the core office will utilize a router using a VPN module. That module provides IPSec and high-speed hardware encryption of packets before they are transported over the Internet. Peer VPN routers on the company core office are dual homed to different multilayer switches for link diversity should among the links be unavailable. It is crucial that traffic from a single business partner doesn’t find yourself at another business partner office. The switches are situated between internal and external firewalls and employed for connecting public servers as well as the external DNS server. That isn’t a security issue because the external firewall is filtering public Internet traffic.
Furthermore filtering can be implemented at each network switch as well to avoid routes from being advertised or vulnerabilities exploited from having business partner connections at the company core office multilayer switches. Separate VLAN’s is going to be assigned each and every network switch for every business partner to enhance security and segmenting of subnet traffic. The tier 2 external lmphip will examine each packet and permit those that have business partner source and destination IP address, application and protocol ports they might require. Business partner sessions must authenticate with a RADIUS server. Once that is finished, they will likely authenticate at Windows, Solaris or Mainframe hosts before starting any applications.