Summary This article describes some key technical concepts associated with a VPN. A Virtual Private Network (VPNs) integrates external staff, company has offices and business partners via the Internet and secure encrypted tunnel between the sites. An Access-VPN is used to connect remote users to the corporate network. The remote workstation or laptop will use an access circuit, such as cable, DSL or wireless, to connect to a local Internet Service Provider (ISP). With a client-initiated model, software on the remote workstation builds an encrypted tunnel from the laptop to the ISP with IPSec, Layer 2 Tunneling Protocol (L2TP) or Point to Point Tunneling Protocol (PPTP). The user must authenticate VPN users to be admissible to the ISP. Once this is done, the ISP builds an encrypted tunnel to the enterprise VPN routers or concentrators. TACACS, RADIUS, or Windows servers to authenticate the remote user as an employee, access is allowed on the corporate network. This is done, the remote user must be local to the Windows domain server, Unix server or mainframe host depending on where it is network account to authenticate. The ISP initiated model is less secure than client-initiated model, since the encrypted tunnel is constructed by the ISP to the company VPN router or VPN concentrator only. In addition to the secure VPN tunnel is built with L2TP or L2F. The Extranet VPN Business Partners connect to a corporate network by establishing a secure VPN connection from the router to the business of the company’s VPN routers or concentrators. The specific tunneling protocol used depends on whether it is a router or a remote dial-up connection. The options for a router connected Extranet VPN IPsec or Generic Routing Encapsulation are (GRE). Dialup connections will use extranet or L2TP L2F. The intranet VPN to connect corporate offices via a secure connection with the same process with IPSec or GRE as a tunneling protocols. It is important to note that does what VPN is very inexpensive and effective, that they use the existing Internet, to transport companies for transport. That is why many companies choose IPSec as a security protocol of choice for ensuring that information is secure as it travels between routers or laptop and router. IPSec with 3DES encryption, authentication, IKE key exchange and MD5 authentication path, authentication, authorization, and confidentiality. Internet Protocol Security (IPSec) IPSec operation is noteworthy, since it uses a security protocol such prevailing today with Virtual Private Networking. IPSec is specified by RFC 2401 and developed as an open standard for the secure transport of IP over the public Internet. The package structure is composed of an IP header and IPsec header / Encapsulating Security Payload. IPSec with 3DES encryption provides services and authentication with MD5. There are also Internet Key Exchange (IKE) and ISAKMP, which automate the distribution of secret keys between IPSec peer devices (routers and concentrators). These protocols are necessary for the negotiation of one-or two-way security associations. IPSec security associations are comprised of a cipher algorithm (3DES), hash algorithms (MD5) and an authentication method (MD5). to use access VPN implementations 3 Security Associations (SA) per connection (send, receive and IKE). A company network with many IPSec peer devices is to use a certification body for the scalability of the authentication instead of IKE / Pre-Shared Keys. Laptop – IPSec VPN Concentrator peer connection first IKE Security Association Negotiation second IPSec tunnel setup 3rd XAUTH Request / Response – (RADIUS authentication server) 4th Mode Config Response / Acknowledge (DHCP and DNS) 5 IPSec Security Association Access VPN Access VPN Design This is a leverage effect on the availability and low cost of Internet connectivity to the core business office with WiFi, DSL and cable access circuits from local Internet Service Provider. The major problem is that company data must be protected as they travel to be submitted by the teleworkers laptop to firm core-office over the Internet. The client-initiated model is used, the IPSec tunnel will be one from each client laptops, which is building finished to a VPN concentrator. Each laptop will be configured with VPN client software, which will run with Windows. The teleworker must first dial a local number access and authentication with the ISP. The RADIUS server authenticates each dial-up connection as an authorized teleworkers. Once this is complete, the remote user to authenticate and authorize with Windows, Solaris, or a mainframe server before all applications. There are two VPN concentrators, which was for failover with Virtual Routing Redundancy Protocol (VRRP) one of them will not be configured available. Each concentrator is connected between the external router and the firewall. A new feature with the VPN concentrators prevents Denial of Service (DoS) attacks by hackers, which could affect the availability outside of the network. The firewalls are configured so that source and destination IP addresses that are assigned to each telecommuter from a predefined range allowed. As well, every application and protocol ports through the firewall, which is required permitted. Extranet The Extranet VPN Design is designed to enable secure VPN connections from any business office of the Kern-Office. Safety is the primary focus, as the Internet to transport all traffic will be used by any business partner. It is a circuit connection from any business that will end to a VPN router at the core of the company office. Each business and its peer VPN Router at the center office to use a router with VPN module. The module provides IPSec and high-speed hardware-encrypted packets before they are transported over the Internet. Peer VPN router at the company are dual core office homed different multilayer switches for left-diversity should be one of the links no longer available. It is important that the public ends of a business not in other business office. The switches used are located between external and internal firewalls, and for the connection of public servers and external DNS servers. This is not a question of safety as the external firewall filters public Internet traffic. In addition, filtering can be implemented to prevent routes at each network switch or advertised on Vulnerabilities of business connections at the company office core multilayer switches are used. Separate VLANs will be assigned to each network switch for each business to improve the safety and the segmentation of the subnet traffic. The Tier 2 external firewall examines each packet and allow the business to source and destination IP address, application and protocol ports need them. Business Partner Sessions will be authenticated with a RADIUS server. Once this is complete, they will be in Windows authentication, Solaris, or mainframe hosts, before all applications. Network Planning and Design Guide is available at Amazon. eBookMall com and. com Shaun Hummel is the author of several books and technical focus has a website on information technology job search solutions and certifications. http://www. job network solutions. com
Internet Security and VPN Network Design
Shaun Hummel, CCNP, is a Senior Network Engineer with 11 years experience in enterprise network planning, design and implementation. He has worked for various private and public companies in Canada and the United States improving infrastructure, security and administration. He has written Network Planning and Design Guide, Cisco Wireless Network Design Guide and Network Assessment Guide. www. job network solutions. com