Transcript VPN

Virtual Private Networks
(Tunnels)
When Are VPN Tunnels Used?
VPN with PPTP tunnel
Used if:
All routers support VPN tunnels
You are using MS-CHAP or EAP-TLS
Router authentication uses user-based certificates
VPN with L2TP tunnel
Used if:
All routers support VPN tunnels
Router authentication uses computer-based
certificates or user-based certificates
Components of Remote Connectivity
DHCP Server Network Access
Server (VPN or Dial-Up)
Domain
Controller
IAS (RADIUS)
Server
Wireless Access
Point
VPN Client
Dial-up Client
Wireless Client
Network access service
Network access clients
Authentication service
Active Directory (not required)
Configuration Requirements for a Network Access
Server
A network access server is a server that acts as a gateway to a
network for a client
To configure the network access server,
you will need to know:
Whether the server will also act as a router
Authentication methods and providers
Client access
IP address assignment
PPP configuration options
Event logging preferences
What Is a Network Access Client?
Type of Client
VPN Client
Dial-up
Client
Wireless
Client
Description
Connects to a network across a shared or public network
Emulates a point-to-point link on a private network
Connects to a network by using a communications
network
Creates a physical connection to a port on a remote
access server on a private network
Uses a modem or ISDN adapter to dial in to the remote
access server
Connects to a network by infrared light and radio
frequency technologies
Includes many different types of devices
What Are Network Access Authentication and
Authorization?
2
Network Access
Client
1
2
Network Access
Server
1
Domain
Controller
Verifies a remote user's identification to the network service
Authentication that the remote user is attempting to access (interactive logon)
Verifies that the connection attempt is allowed; authorization
Authorization
occurs after a successful logon attempt
Available Methods of Authentication
Remote and wireless authentication
methods include:
CHAP
PAP
SPAP
MS-CHAP
MS-CHAP v2
EAP-TLS
PEAP
MD-5 Challenge
Recommended method for user
authentication is by using smart card certificates
How a VPN Connection Works
A VPN extends the capabilities of a private network to
encompass links across shared or public networks, such as the
Internet, in a manner that emulates a point-to-point link
VPN Server
Domain
Controller
VPN Client
1
VPN client calls the
VPN server
3
VPN server authenticates
and authorizes the client
2
VPN server
answers the call
4
VPN server transfers
data
Components of a VPN Connection
VPN Server
Domain
Controller
VPN Tunnel
Tunneling Protocols
Tunneled Data
VPN Client
Authentication
DHCP
Server
Transit Network
Address and Name Server Allocation
Encryption Protocols for a VPN Connection
Category
PPTP
L2TP/IPSec
Description
Employs user-level Point-to-Point Protocol (PPP)
authentication methods and Microsoft Point-to-Point
Encryption (MPPE) for data encryption
Employs user-level PPP authentication methods over a
connection that is encrypted with IPSec
Recommended authentication method for VPN network
access is L2TP/IPSec with certificates
Examples of Remote Access Server Using L2TP/IPSec
Remote
Access Server
Remote User to Corp Net
Remote
Access Server
Branch Office to Branch Office
Configuration Requirements for a VPN Server
Before adding a remote access / VPN server:
Identify which network interface connects to the Internet and
which network interface connects to your private network
Identify whether clients receive IP addresses from a DHCP
server or the VPN server
Identify whether to authenticate connection requests by
RADIUS or by the VPN server
How Dial-up Network Access Works
Dial-up networking is the process of a remote access client making a
temporary dial-up connection to a physical port on a remote access
server by using the service of a telecommunications provider
Remote Access
Server
Domain
Controller
Dial-up Client
1
Dial-up client calls
the RA server
3
RA server authenticates
and authorizes the client
2
RA server
answers the call
4
RA server transfers
data
Components of a Dial-up Connection
Remote Access
Server
Domain
Controller
LAN and Remote Access
Protocols
WAN Options:
Telephone, ISDN,
X.25, or ATM
Dial-up Client
Authentication
DHCP
Server
Address and Name Server Allocation
Authentication Methods for a Dial-up Connection
Authentication methods for dial-up include:
CHAP
PAP
SPAP
MS-CHAP
MS-CHAP v2
EAP-TLS
EAP-MD5 Challenge
Mutual Authentication
Remote
Access Server
Remote
Access User
Strongest method: EAP-TLS with smart cards
Configuration Requirements for a Remote Access
Server
Before adding a remote access server for dial-up access:
Identify whether clients receive IP addresses from a DHCP
server or the remote access server
Identify whether to authenticate connection requests by
RADIUS or by the remote access server
Verify that users have user accounts configured for dial-up
access
Overview of Wireless Network Access
A wireless network uses technology that enables devices to
communicate by using standard network protocols and
electromagnetic waves—not network cabling—to carry signals over
part or all of the network infrastructure
DHCP Server
Network Access
Server
Domain
Controller
IAS
Server
Standard
Infrastructure
WLAN
Wireless Access
Point
Wireless Client
Peer-to-peer
WLAN
Description
Clients connect to wireless
access points
Network wireless clients
communicate directly with each
other without the use of cables
Components of a Wireless Connection
Authentication
Remote
Access Server
Ports
Domain
Controller
DHCP
Server
Wireless
Access Point
Address and Name Server Allocation
Wireless Client
(Station)
Wireless Standards
Standard
Description
802.11
A group of specifications for WLANs developed by IEEE
Defines the physical and MAC portion of the OSI data-link layer
802.11b
11 megabits per second
Good range but susceptible to radio signal interference
Popular with home and small business users
802.11a
802.11g
802.1x
Transmissions speeds as high as 54 Mbps
Allows wireless LAN networking to perform better for video and conferencing
applications
Works well in densely populated areas
Is not interoperable with 802.11, 802.11b, 802.11g
Enhancement to and compatible with 802.11b
54 Mbps but at shorter ranges than 802.11b
Authenticates clients before it lets them on the network
Can be used for wireless or wired LANs
Requires greater hardware and infrastructure investment
Authentication Methods for Wireless Networks
802.1x Authentication
Methods
EAP-MS-CHAP v2
EAP-TLS
PEAP
Description
Provides mutual authentication
Uses certificates for server authentication and
password-based credentials for client authentication
Provides mutual authentication and is the strongest
method of authentication and key determination
Uses certificates for both server and client
authentication
Provides support for EAP-TLS and EAP-MS-CHAP
v2
Encrypts the negotiation process
Lesson: Centralizing Network Access Authentication
and Policy Management by Using IAS
What Is RADIUS?
What Is IAS?
How Centralized Authentication Works
How to Configure an IAS Server for Network Access
Authentication
How to Configure the Remote Access Server to Use IAS
for Authentication
What Is RADIUS?
RADIUS is a widely deployed protocol, based on a client/server model,
that enables centralized authentication, authorization, and accounting
for network access
RADIUS is the standard for managing network access
for VPN, dial-up, and wireless networks
Use RADIUS to manage network access centrally
across many types of network access
RADIUS servers receive and process connection
requests or accounting messages from RADIUS clients
or proxies
What Is IAS?
IAS, a Windows Server 2003 component, is an industry-standard
compliant RADIUS server. IAS performs centralized authentication,
authorization, auditing, and accounting of connections for VPN, dialup, and wireless connections
You can configure IAS to support:
Dial-up corporate access
RADIUS
Server
Extranet access for business partners
Internet access
Outsourced corporate access through service providers
How Centralized Authentication Works
4
2
Communicates to the RADIUS
client to grant or deny access
RADIUS Client
Forwards requests
to a RADIUS server
Domain
Controller
Remote
Access Server
Client
RADIUS
Server
1
Dials in to a local RADIUS client
to gain network connectivity
3
Authenticates requests
and stores accounting
information