The University of Oklahoma Virtual Private Network

Download Report

Transcript The University of Oklahoma Virtual Private Network

The University of Oklahoma
Virtual Private Network
How it works
What is VPN?




VPN stands for “Virtual Private Networking”
It enables users to connect remotely to a network
securely using the internet.
VPN uses the concept of “tunneling” to achieve this
connection into a network.
There are troubleshooting hints located in the Notes
section, so be sure to read the notes. Some of this
information will be reviewed on the VPN quiz.
Tunneling


Most VPN’s rely on tunneling to create a private network that reaches across
the Internet. Essentially, tunneling is the process of placing an entire packet
within another packet and sending it over a network. The protocol of the outer
layer is understood by the network and both points, called tunnel interfaces,
where the packet enters and exits the network.
Tunneling requires three different protocols:
–
–
–

Carrier protocol - The protocol used by the network that the information is traveling
over
Encapsulating protocol - The protocol (GRE, IPSec, L2F, PPTP, L2TP) that is
wrapped around the original data
Passenger protocol - The original data (IPX, NetBeui, IP) being carried
Tunneling has amazing implications for VPNs. For example, you can place a
packet that uses a protocol not supported on the Internet (such as NetBeui)
inside an IP packet and send it safely over the Internet. Or you could put a
packet that uses a private (non-routable) IP address inside a packet that uses a
globally unique IP address to extend a private network over the Internet.
This material taken from www.howstuffworks.com
OU VPN Service Network Diagram
OU VPN Client
The OU VPN
Client is the
software used to
connect to the
VPN Service at
OU.
The Options Menu
•Clicking on the options button
brings up the menu as shown.
•The Stateful Firewall (Always
On) option can be either
checked or not checked based
on what kind of firewall the
computer is behind (if the
machine is behind a firewall)
Stateful Firewall (Always On)

A normal Firewall is "stateless" because it has no
memory of context for connection states. Each
connection through it is a new connection. Now a
"stateful" firewall remembers the context of
connections and continuously updates this state
information in dynamic connection tables. This can
be a very good thing because a hacker trying to gain
access through a firewall has less chance of forging
entry as part of a valid series of connections
because the context shows that the additional
connection does not make sense in the context of
the legitimate user.
Stateful Firewall (cont’d)

Basically if a file with malicious content were broken up into
multiple packets in a way that did not make immediate sense to
the firewall and these parts were sent in randomly, a
STATELESS Firewall would allow it through, and the machine
to which this content is delivered, will reassemble these
packets and possibly do a lot of damage to its own data.

In the case of a STATEFUL Firewall, the firewall would keep the
context or overall picture in view while letting packets through.
Therefore, it would check the packets in the context in which it
is being sent. If the firewall then “makes sense” of the overall
file being malicious, it would block the file.
The Properties Option
•The ‘Properties’
option is under the
‘Options’ menu.
•A user can
administer the
connection
properties for the
connection chosen
in the ‘Connection
Entry’ dropdown
menu. Ex. Cox to
OU-Norman
Campus.
The General Tab
Transparent Tunneling

Transparent tunneling is simply a method of
tunneling used that allows the VPN client to
pass IPsec through both firewalls and the
network address translation methods
discussed later.
IPSec

IPSec - Internet Protocol Security Protocol (IPSec)
provides enhanced security features such as better
encryption algorithms and more comprehensive
authentication. IPSec has two encryption modes:
tunnel and transport.
–
–
–
Tunnel encrypts the header and the payload of each packet.
Transport only encrypts the payload.
IPSec can encrypt data between various devices, such as:




Router to router
Firewall to router
PC to router
PC to server
This material taken from www.howstuffworks.com
NAT


Short for Network Address Translation, an Internet standard
that enables a Local Area Network (LAN) to use one set of IP
Addresses for internal traffic and a second set of addresses for
external traffic. A NAT box located where the LAN meets the
Internet makes all necessary IP address translations.
NAT serves three main purposes:
–
–
–
Provides type of firewall by hiding internal IP addresses.
Enables a company to use more internal IP addresses. Since
they're used internally only, there's no possibility of conflict with IP
addresses used by other companies and organizations.
Allows a company to combine multiple ISDN connections into a
single Internet connection.
PAT


PAT - Short for port address translation. It is
a type of network address translation. During
PAT, each computer on LAN is translated to
the same IP address, but with a different port
number assignment.
PAT is also referred to as overloading, port
mapping, port-level multiplexed NAT or single
address NAT.
UDP



UDP stands for “User Datagram Protocol”
UDP - A connectionless protocol that, like TCP, runs
on top of IP networks. Unlike TCP/IP, UDP/IP
provides very few error recovery services, offering
instead a direct way to send and receive datagrams
over an IP network. It's used primarily for
broadcasting messages over a network.
A machine sends out information without confirming
whether the recipient successfully received the
message or not.
TCP




Transmission Control Protocol
Abbreviation of Transmission Control Protocol, and TCP is one
of the main protocols in TCP/IP networks. Whereas the IP
protocol deals only with packets, TCP enables two hosts to
establish a connection and exchange streams of data. TCP
guarantees delivery of data and also guarantees that packets
will be delivered in the same order in which they were sent.
A machine sends out data and continues to send the same data
till it receives a confirmation that the recipient has received the
data successfully.
OU VPN uses port TCP 10000 only.
Allow local LAN access

Lets you connect to the computers that are
physically connected to the same network.
Ex. All computers connected up to the same
Hub/Router.
Authentication Tab
Group Access
Information
usernames and
passwords can be
entered here.
Group Access Information



All users currently connecting to OU-VPN are
under the ‘users’ group. Hence the username
for the group is ‘users’.
The password for this group is ‘ou-vpn’.
This information is normally saved in the
‘Cox to OU-Norman’ connection profile and
should be there unless deleted.
Connections Tab
This Tab enables you to
use a dial-up
connection to use VPN.
Enabling ‘Connect to
the Internet via dial-up’
will first dial in to your
non-OU ISP and then
attempt to connect to
VPN.
Useful Websites


http://computer.howstuffworks.com/vpn.htm
http://www.cisco.com/