This post covers some important technical principles associated with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business partners using the web and secures encrypted tunnels between locations. An Access VPN is used to connect remote users to the enterprise network. The remote workstation or laptop uses an access circuit such as Cable, DSL or Wireless for connecting to a local Internet Provider (ISP). Having a client-initiated model, software on the remote workstation builds an encrypted tunnel from the laptop to the Internet service provider using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The consumer must authenticate as a permitted VPN user with the ISP. Once which is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as being an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host depending upon where there network account is found. The Internet service provider initiated model is less secure than the client-initiated model since the encrypted tunnel is built from the Internet service provider to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is made with L2TP or L2F.
The Extranet VPN will connect partners to a company network by building a safe and secure VPN connection from your business partner router to the company VPN router or concentrator. The precise tunneling protocol utilized depends upon whether it be a router connection or even a remote dialup connection. The choices for any router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a good connection using the same process with IPSec or GRE since the tunneling protocols. It is important to note that exactly what makes VPN’s very economical and efficient is that they leverage the current Internet for transporting company traffic. That is why a lot of companies are selecting IPSec since the security protocol of choice for guaranteeing that details are secure because it travels between routers or laptop and router. IPSec is composed of 3DES encryption, IKE key exchange authentication and MD5 route authentication, that provide authentication, authorization and confidentiality.
Web Protocol Security (IPSec) – IPSec operation may be worth mentioning as it such a common protection protocol utilized today with Digital Personal Networking. IPSec is specific with RFC 2401 and created being an open standard for secure carry of IP across the general public Web. The packet structure includes an Ip address header/IPSec header/Encapsulating Security Payload. IPSec offers encryption services with 3DES and authentication with MD5. Furthermore there exists Web Key Exchange (IKE) and ISAKMP, which systemize the syndication of key keys among IPSec peer devices (concentrators and routers). These practices are essential for discussing a single-way or two-way protection associations. IPSec protection associations consist of your file encryption algorithm criteria (3DES), hash algorithm (MD5) and an authorization method (MD5). Access VPN implementations utilize 3 protection organizations (SA) for each connection (transmit, receive and IKE). An enterprise network with many IPSec peer devices will use a Certification Authority for scalability with all the authentication process as opposed to IKE/pre-shared keys.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and low cost Internet for connectivity to the company core office with WiFi, DSL and Cable access circuits from local Internet Providers. The key issue is that company data should be protected since it travels throughout the Internet through the telecommuter laptop towards the company core office. Your client-initiated model will likely be utilized which builds an IPSec tunnel from each client laptop, which can be terminated in a VPN concentrator. Each laptop is going to be configured with VPN client software, that will run with Windows. The telecommuter must first dial a neighborhood access number and authenticate using the ISP. The RADIUS server will authenticate each dial connection as being an authorized telecommuter. Once that is certainly finished, the remote user will authenticate and authorize with Windows, Solaris or even a Mainframe server before starting any applications. There are dual VPN concentrators that will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of these be unavailable.
Each concentrator is connected involving the external router and the firewall. A whole new feature with all the VPN concentrators prevent denial of service (DOS) attacks from outside hackers that may affect network availability. The firewalls are configured to permit source and destination IP addresses, which are assigned to each telecommuter coming from a pre-defined range. As well, any application and protocol ports is going to be permitted through the firewall that is needed.
Extranet VPN Design – The Extranet VPN is designed to allow secure connectivity from each business partner office for the company core office. Security is the primary focus considering that the Internet is going to be employed for transporting all data traffic from each business partner. You will have a circuit connection from each business partner that will terminate in a VPN router at the company core office. Each business partner as well as its peer VPN router at the core office will employ a router using a VPN module. That module provides IPSec and-speed hardware encryption of packets before they may be transported over the Internet. Peer VPN routers at the company core office are dual homed to different multilayer switches for link diversity should one of the links be unavailable. It is important that traffic from one business partner doesn’t end up at another business partner office. The switches are located between external and internal firewalls and utilized for connecting public servers as well as the external DNS server. That isn’t a security issue considering that the external firewall is filtering public Internet traffic.
Furthermore filtering can be implemented at every network switch as well to prevent routes from being advertised or vulnerabilities exploited from having business partner connections in the company core office multilayer switches. Separate VLAN’s will be assigned at each network switch for each and every business partner to improve security and segmenting of subnet traffic. The tier 2 external lmphip will examine each packet and permit those that have business partner source and destination IP address, application and protocol ports they require. Business partner sessions will need to authenticate with a RADIUS server. Once that is certainly finished, they are going to authenticate at Windows, Solaris or Mainframe hosts before starting any applications.