Embed Size (px)
Citation preview
Virtual Private Network (VPN)
© N. Ganesan, Ph.D.
Chapter Objectives
Chapter Modules
Primary Reference
• VPN Overview by Microsoft
VPN
• A virtual private network that is established over, in general, the Internet
• It is virtual because it exists as a virtual entity within a public network
• It is private because it is confined to a set of private users
Why is it a Virtual Private Network?
• From the user’s perspective, it appears as a network consisting of dedicated network links
• These links appear as if they are reserved for the VPN clientele
• Because of encryption, the network appears to be private
Example of a VPN
VPN Major Characteristics
• Must emulate a point-to-point link– Done by encapsulating the data that
would facilitate allow it to travel the Internet to reach the end point
• Must emulate a private link– Done by encrypting the data in the
data packets
Typical VPN Connection
Tunnel and Connections
• Tunnel– The portion of the network where the
data is encapsulated
• Connection– The portion of the network where the
data is encrypted
Application Areas
• In general, provide users with connection to the corporate network regardless of their location
• The alternative of using truly dedicated lines for a private network are expensive propositions
Some Common Uses of VPN
• Provide users with secured remote access over the Internet to corporate resources
• Connect two computer networks securely over the Internet– Example: Connect a branch office network
to the network in the head office
• Secure part of a corporate network for security and confidentiality purpose
Remote Access Over the Internet
Connecting Two Computer Networks Securely
Securing a Part of the Corporate Network
Basic VPN Requirements
• User Authentication• Address Management • Data Encryption• Key Management• Multi-protocol Support
User Authentication
• VPN must be able to verify user authentication and allow only authorized users to access the network
Address Management
• Assign addresses to clients and ensure that private addresses are kept private on the VPN
Data Encryption
• Encrypt and decrypt the data to ensure that others on the not have access to the data
Key Management
• Keys must be generated and refreshed for encryption at the server and the client
• Note that keys are required for encryption
Multi-protocol Support
• The VPN technology must support commons protocols on the Internet such as IP, IPX etc.
VPN Implementation Protocols
• Point-to-Point Tunneling Protocol (PPTP) of Layer 2 Tunneling Protocol (L2TP)
• IPSec
More on Tunneling
• Tunneling involves the encapsulation, transmission and decapsulation of data packets
• The data is encapsulated with additional headers
• The additional headers provide routing information for encapsulated data to be routed between the end points of a tunnel
Tunneling
Point-to-Point Tunneling Protocol (PPTP)
• Encapsulate and encrypt the data to be sent over a corporate or public IP network
Level 2 Tunneling Protocol
• Encrypted and encapsulated to be sent over a communication links that support user datagram mode of transmission – Examples of links include X.25, Frame
Relay and ATM
IPSec Tunnel Mode
• Encapsulate and encrypt in an IP header for transmission over an IP network
Layer 2 Tunneling Protocols
• PPTP• L2TP• Both encapsulate the payload in a
PPP frame
Layer 3 Tunneling Protocol
• IPSec Tunneling Mode– Encapsulates the payload in an
additional IP header
PPP Format
PPTP Format
L2TP Format
Windows Implementation of VPN
• L2TP for tunneling• IPSec for encryption • Known as L2TP/IPSec
Windows Implementation
IPSec Tunnel Mode
• Supports only IP networks
Tunnel Types
• Voluntary– VPN request is initiated by the client– The client remains the end point
• Compulsory – VPN access server creates a compulsory
tunnel for the client – In this case, the dial-up access server
between the user’s computer and the tunnel server is the tunnel end point that acts as a client
The Choice
• Voluntary tunneling is used in most applications
Other Important Protocols in VPN
• Microsoft Point-to-Point Encryption (MPPE)
• Extensible Authentication Protocol (EAP)
• Remote Authentication Dial-in User Service (RADIUS)
A Note on RADIUS
Keys
• Symmetric Keys• Asymmetric Keys
Summary
End of Module
VPN Scenarios
© N. Ganesan, Ph.D.
Chapter Objectives
Chapter Modules
Reference
Some Example Scenarios
• VPN remote access for employees. • On-demand branch office access. • Persistent branch office access. • Extranet for business partners. • Dial-up and VPNs with RADIUS
authentication
VPN Remote Access for Employees
VPN Remote Access for Employees
Router-to-Router Branch Office Connection
Branch Office Connection (Router-to-Router)
VPN Based Extranet
Dial-up and VPNS with RADIUS Authentication
Module
Configuring a VPN Environment
Test Scenario
Component Details
• A computer running Windows Server 2003, Enterprise Edition, named DC1 that is acting as a domain controller, a Domain Name System (DNS) server, a Dynamic Host Configuration Protocol (DHCP) server, and a certification authority (CA).
• A computer running Windows Server 2003, Standard Edition, named VPN1 that is acting as a VPN server. VPN1 has two network adapters installed.
• A computer running Windows Server 2003, Standard Edition, named IAS1 that is acting as a Remote Authentication Dial-in User Service (RADIUS) server.
Component Details Cont.
• A computer running Windows Server 2003, Standard Edition, named IIS1 that is acting as a Web and file server.
• A computer running Windows XP Professional named CLIENT1 that is acting as a VPN client.
Private and Public Networks
• Private – 172.16.0.0/24
• Simulated Public– 10.0.0.0/24
DC1
• DC1 is a computer running Windows Server 2003, Enterprise Edition that is providing the following services:– •A domain controller for the example.com
Active Directory domain– .•A DNS server for the example.com DNS
domain.– •A DHCP server for the intranet network
segment– •The enterprise root certification authority
(CA) for the example.com domain.
Step 1: Configuring DC1
• The first step is to configure the following– Active Directory– DNS– DHCP– CA
Step 2: Configure IAS1
• Install Windows Server – Provides RADIUS authentication,
authorization, and accounting for VPN1
• Register server in active directory• Configure new remote access policies • Specify authentication method and
encryption level
Step 3: Configure IIS1
• Configure this as a web server for web access as well as file sharing
Step 4: Configure VPN1
• Install VPN1 as a member server in the domain
• Configure TCP/IP for the Intranet and Internet sides
• Configure and enable routing and remote access
• Setup the server to work with a RADIUS server
• Setup the DHCP relay agent parameters
Step 5: Configure Client1
• CLIENT1 is a computer running Windows XP Professional that is acting as a VPN client and gaining remote access to intranet resources across the simulated Internet. To configure CLIENT1 as a VPN client for a PPTP connection, perform the following steps:
• 1.Connect CLIENT1 to the intranet network segment.
• 2.On CLIENT1, install Windows XP Professional as a member computer named CLIENT1 of the example.com domain.
• 3.Add the VPNUser account in the example.com domain to the local Administrators group.
• 4.Log off and then log on using the VPNUser account in the example.com domain.
• 5.From Control Panel-Network Connections, obtain properties on the Local Area Network connection, and then obtain properties on the Internet Protocol (TCP/IP).
• 6.Click the Alternate Configuration tab, and then click User configured.
• 7.In IP address, type 10.0.0.1. In Subnet mask, type 255.255.255.0. This is shown in the following figure.
• 8.Click OK to save changes to the Internet Protocol (TCP/IP). Click OK to save changes to the Local Area Network connection.
• 9.Shut down the CLIENT1 computer.• 10.Disconnect the CLIENT1 computer
from the intranet network segment, and connect it to the simulated Internet network segment.
• 11.Restart the CLIENT1 computer and log on using the VPNUser account.
• 12.On CLIENT1, open the Network Connections folder from Control Panel.
• 13.In Network Tasks, click Create a new connection.
• 14.On the Welcome to the New Connection Wizard page of the New Connection Wizard, click Next.
• 15.On the Network Connection Type page, click Connect to the network at my workplace. This is shown in the following figure.
• 19.Click Next. On the Connection Availability page, click Next.
• 20.On the Completing the New Connection Wizard page, click Finish. The Connect PPTPtoCorpnet dialog box is displayed. This is shown in the following figure.
• 21.Click Properties, and then click the Networking tab.
• 22.On the Networking tab, in Type of VPN, click PPTP VPN. This is shown in the following figure
• 23.Click OK to save changes to the PPTPtoCorpnet connection. The Connect PPTPtoCorpnet dialog box is displayed.
• 24.In User name, type example/VPNUser. In Password, type the password you chose for the VPNUser account. This is shown in the following figure.
• 25.Click Connect.• 26.When the connection is complete, run
Internet Explorer.• 27.If prompted by the Internet Connection
Wizard, configure it for a LAN connection. In Address, type http://IIS1.example.com/winxp.gif. You should see a Windows XP graphic.
• 28.Click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the Local Drive (C:) on IIS1.
• 29.Right-click the PPTPtoCorpnet connection, and then click Disconnect.
End of Chapter
