This post discusses some important technical concepts associated with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business partners using the Internet and secures encrypted tunnels between locations. An Access VPN can be used to connect remote users to the enterprise network. The remote workstation or laptop will make use of an access circuit including Cable, DSL or Wireless to get in touch to a local Internet Service Provider (ISP). Using a client-initiated model, software on the remote workstation builds an encrypted tunnel from the laptop to the Internet service provider using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The consumer must authenticate as being a permitted VPN user with the ISP. Once that is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as being an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host depending upon where there network account is situated. The ISP initiated model is less secure compared to the client-initiated model because the encrypted tunnel is made from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is built with L2TP or L2F.
The Extranet VPN will connect business partners to a company network because they build a safe and secure VPN connection through the business partner router to the company VPN router or concentrator. The precise tunneling protocol utilized depends upon whether it be a router connection or perhaps a remote dialup connection. The choices to get a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a safe and secure connection using the same process with IPSec or GRE as the tunneling protocols. It is essential to note that exactly what makes VPN’s very affordable and efficient is that they leverage the current Internet for transporting company traffic. That is why most companies are selecting IPSec because the security protocol of choice for guaranteeing that information is secure as it travels between routers or laptop and router. IPSec includes 3DES encryption, IKE key exchange authentication and MD5 route authentication, which offer authentication, authorization and confidentiality.
Web Process Protection (IPSec) – IPSec operation will be worth mentioning because it this type of prevalent security process utilized nowadays with Digital Private Networking. IPSec is specified with RFC 2401 and developed as being an open up standard for safe transport of IP over the general public Web. The package framework is comprised of an Ip address header/IPSec header/Encapsulating Protection Payload. IPSec provides file encryption solutions with 3DES and authorization with MD5. Additionally there exists Web Key Trade (IKE) and ISAKMP, which systemize the distribution of secret secrets between IPSec peer gadgets (concentrators and routers). These protocols are required for discussing a single-way or two-way security organizations. IPSec protection organizations are comprised of the file encryption algorithm (3DES), hash algorithm (MD5) plus an authentication method (MD5). Accessibility VPN implementations make use of 3 protection organizations (SA) for each connection (transmit, receive and IKE). A business network with a lot of IPSec peer devices will use a Certification Authority for scalability using the authorization process as opposed to IKE/pre-discussed secrets.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and inexpensive Internet for connectivity towards the company core office with WiFi, DSL and Cable access circuits from local Internet Providers. The key concern is that company data must be protected as it travels across the Internet through the telecommuter laptop to the company core office. The customer-initiated model will likely be utilized which builds an IPSec tunnel from each client laptop, which can be terminated in a VPN concentrator. Each laptop is going to be configured with VPN client software, that will run with Windows. The telecommuter must first dial the local access number and authenticate with all the ISP. The RADIUS server will authenticate each dial connection as being an authorized telecommuter. Once that is certainly finished, the remote user will authenticate and authorize with Windows, Solaris or perhaps a Mainframe server before starting any applications. There are dual VPN concentrators that will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of these be unavailable.
Each concentrator is connected involving the external router as well as the firewall. A brand new feature with all the VPN concentrators prevent denial of service (DOS) attacks from the outside hackers that could affect network availability. The firewalls are configured to permit source and destination IP addresses, that are assigned to each telecommuter from the pre-defined range. As well, any application and protocol ports will be permitted from the firewall that is required.
Extranet VPN Design – The Extranet VPN is designed to allow secure connectivity from each business partner office for the company core office. Security will be the primary focus since the Internet will likely be utilized for transporting all data traffic from each business partner. You will have a circuit connection from each business partner that can terminate in a VPN router at the company core office. Each business partner along with its peer VPN router at the core office will utilize a router with a VPN module. That module provides IPSec and-speed hardware encryption of packets before these are transported throughout the Internet. Peer VPN routers at the company core office are dual homed to different multilayer switches for link diversity should one of many links be unavailable. It is crucial that traffic from a single business partner doesn’t wind up at another business partner office. The switches are located between internal and external firewalls and utilized for connecting public servers and the external DNS server. That isn’t a security issue since the external firewall is filtering public Internet traffic.
Furthermore filtering can be implemented each and every network switch as well to prevent routes from being advertised or vulnerabilities exploited from having business partner connections on the company core office multilayer switches. Separate VLAN’s will be assigned at each network switch for every business partner to improve security and segmenting of subnet traffic. The tier 2 external lmphip will examine each packet and permit those that have business partner source and destination IP address, application and protocol ports they need. Business partner sessions must authenticate with a RADIUS server. Once that is certainly finished, they will authenticate at Windows, Solaris or Mainframe hosts before starting any applications.