This article discusses some crucial technical concepts connected with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and partners going online and secures encrypted tunnels between locations. An Access VPN can be used to connect remote users to the enterprise network. The remote workstation or laptop will use an access circuit like Cable, DSL or Wireless to connect to a local Internet Company (ISP). Having a client-initiated model, software on the remote workstation builds an encrypted tunnel through the laptop to the ISP using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The user must authenticate as a permitted VPN user with the ISP. Once that is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as being an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host depending upon where there network account is located. The ISP initiated model is less secure compared to client-initiated model considering that the encrypted tunnel is made from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is made with L2TP or L2F.
The Extranet VPN will connect partners to some company network by building a good VPN connection from your business partner router towards the company VPN router or concentrator. The specific tunneling protocol utilized is determined by be it a router connection or even a remote dialup connection. The options for a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a good connection using the same process with IPSec or GRE as the tunneling protocols. It is essential to note that exactly what makes VPN’s very cost effective and efficient is because they leverage the existing Internet for transporting company traffic. For this reason many companies are selecting IPSec as the security protocol of choice for guaranteeing that information is secure as it travels between routers or laptop and router. IPSec is comprised of 3DES encryption, IKE key exchange authentication and MD5 route authentication, that provide authentication, authorization and confidentiality.
Web Protocol Protection (IPSec) – IPSec procedure may be worth noting since it this type of prevalent security process used today with Digital Personal Networking. IPSec is specific with RFC 2401 and created as being an open regular for safe transport of Ip address throughout the general public Web. The packet structure is comprised of an Ip address header/IPSec header/Encapsulating Protection Payload. IPSec offers encryption solutions with 3DES and authentication with MD5. Furthermore there is certainly Web Key Exchange (IKE) and ISAKMP, which automate the syndication of secret secrets between IPSec peer devices (concentrators and routers). These practices are required for negotiating one-way or two-way security associations. IPSec security associations are comprised of your encryption algorithm (3DES), hash algorithm (MD5) plus an authentication technique (MD5). Access VPN implementations make use of 3 security associations (SA) per link (transmit, get and IKE). A business network with lots of IPSec peer devices will utilize a Certificate Authority for scalability with the authentication process as opposed to IKE/pre-shared secrets.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and low cost Internet for connectivity towards the company core office with WiFi, DSL and Cable access circuits from local Internet Providers. The key problem is that company data has to be protected as it travels throughout the Internet from your telecommuter laptop towards the company core office. The customer-initiated model is going to be utilized which builds an IPSec tunnel from each client laptop, which is terminated at a VPN concentrator. Each laptop is going to be configured with VPN client software, that will run with Windows. The telecommuter must first dial the local access number and authenticate with the ISP. The RADIUS server will authenticate each dial connection as being an authorized telecommuter. Once that is finished, the remote user will authenticate and authorize with Windows, Solaris or even a Mainframe server before starting any applications. There are dual VPN concentrators which will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of them be unavailable.
Each concentrator is connected involving the external router as well as the firewall. A new feature with the VPN concentrators prevent denial of service (DOS) attacks externally hackers that may affect network availability. The firewalls are configured to permit source and destination IP addresses, which can be assigned to each telecommuter from the pre-defined range. As well, any application and protocol ports is going to be permitted with the firewall that is required.
Extranet VPN Design – The Extranet VPN was created to allow secure connectivity from each business partner office towards the company core office. Security is the primary focus considering that the Internet is going to be useful for transporting all data traffic from each business partner. There will be a circuit connection from each business partner which will terminate at a VPN router at the company core office. Each business partner along with its peer VPN router at the core office will utilize a router using a VPN module. That module provides IPSec and high-speed hardware encryption of packets before they may be transported throughout the Internet. Peer VPN routers at the company core office are dual homed to various multilayer switches for link diversity should among the links be unavailable. It is important that traffic from a single business partner doesn’t wind up at another business partner office. The switches are situated between external and internal firewalls and useful for connecting public servers as well as the external DNS server. That isn’t a security alarm issue considering that the external firewall is filtering public Internet traffic.
Furthermore filtering can be implemented at each network switch as well to avoid routes from being advertised or vulnerabilities exploited from having business partner connections at the company core office multilayer switches. Separate VLAN’s is going to be assigned at each network switch for each and every business partner to improve security and segmenting of subnet traffic. The tier 2 external lmjhjq will examine each packet and permit those that have business partner source and destination IP address, application and protocol ports they require. Business partner sessions will need to authenticate using a RADIUS server. Once that is finished, they will likely authenticate at Windows, Solaris or Mainframe hosts before starting any applications.