What is a VPN
Download
Report
Transcript What is a VPN
Virtual Private Networks
Alberto Pace
What is a VPN ?
A technology that allows to send confidential data
securely over the internet
IT/IS Technical Meeting – January 2002
What is a VPN ?
The remote computer can connect to the internet
using an arbitrary Internet Service Provider (ISP) and
have an IP Address in the intranet.
The computer can act as if it was on the intranet
IT/IS Technical Meeting – January 2002
Point-to-Point Tunneling Protocol
You can access a private network through the Internet or
other public network by using a virtual private network
(VPN) connection with the Point-to-Point Tunneling
Protocol (PPTP).
Developed as an extension of the Point-to-Point Protocol
(PPP),
PPTP tunnels or encapsulates, IP, IPX, or NetBEUI protocols
inside of PPP datagrams
PPTP does not require a dial-up connection. It does,
however, require IP connectivity between your computer
and the server
My understanding is that it uses Microsoft Point-to-Point
Encryption (MPPE)
IT/IS Technical Meeting – January 2002
Layer Two Tunneling Protocol
L2TP is an industry-standard Internet tunneling protocol
with roughly the same functionality as the Point-to-Point
Tunneling Protocol (PPTP).
Like PPTP, L2TP encapsulates Point-to-Point Protocol (PPP)
frames, which in turn encapsulate IP, IPX, or NetBEUI
protocols
With L2TP, the computer performs all security checks and
validations, and enables data encryption, which makes it
much safer to send information over nonsecure networks
by using the new Internet Protocol security (IPSec)
In this case data transfer through a L2TP-enabled VPN is as
secure as within a single LAN at a corporate site
IT/IS Technical Meeting – January 2002
Internet Protocol security (IPSec)
IPSec provides machine-level authentication, as well
as data encryption.
IPSec negotiates between your computer and its
remote tunnel server before an L2TP connection is
established, which secures both passwords and data
IT/IS Technical Meeting – January 2002
Authentication Methods
Challenge Handshake Authentication Protocol (CHAP)
MS-CHAP
Same as Chap + functionality to which LAN-based users are
accustomed
MS-CHAP is consistent with standard CHAP (superset of
functionalities)
You must at least use MS-CHAP to use MPPE (encryption)
MS-CHAP v2
Uses Message Digest 5 (MD5) / challenge-response
both the client and the server prove their identities. Not only the client.
V2 ensures that you can configure a your connection can be
configured to connect to the expected server
Extensible Authentication Protocol (EAP)
Allows to use other security devices. EAP provides a standard
mechanism for support of additional authentication methods within
PPP including token cards, one-time passwords, public key
authentication using smart cards, certificates, and others
IT/IS Technical Meeting – January 2002
Types of VPNs
Router-to-Router
IT/IS Technical Meeting – January 2002
Types of VPNs
Remote Access VPNs
IT/IS Technical Meeting – January 2002
Tests at CERN
PCAP7 (computer in my office)
IT/IS Technical Meeting – January 2002
From the client
The machine we have in on the intranet only. We have
to simulate internet/intranet.
The page http://cern.ch/Win/Temp/vpn.asp considers
intranet the address 137.138.32.xxx
IT/IS Technical Meeting – January 2002
Connect to the VPN
From “My Network Places” – Right-Click –
“Properties” – “Create New Connection”
IT/IS Technical Meeting – January 2002
Try to connect
IT/IS Technical Meeting – January 2002
Conclusions so far
If we open the pptp port on address 137.138.33.62, we have
today a working solution with the following limitations
Uses PPTP and Microsoft Point-to-Point Encryption
Windows computer have all necessary software natively
Windows Machines can be identified (as member of the
domain or an ad-hoc domain)
Security is strengthened by domain logon that can be
tightened to anything you want
This is the current “industry standard”
Used world-wide, secure and proven technology
Evolution towards L2TP and IPSec coming, but slowly
(requires heavy infrastructure)
IT/IS Technical Meeting – January 2002
More conclusion so far
Using this technology, we could open rapidly a VPN service for
WINDOWS users
Support for Linux users could come for the “community”
Time to install and configure the VPN server ~ 8 hours
Time to install a windows client that has already TCP/IP connectivity ~
1 minute
May be very expensive to formally support Linux clients
Not a standard technology – to my knowledge, no companies have
“roaming linux users” on the internet to the same extent that we have
Deploying the IPsec infrastructure to support L2TP will require an
administrative office to distribute, revoke and maintain computer
certificates and user certificates.
May not be possible within the current resources / May require several
years
Yet another computer Registration ? Yet another user Registration ?
Should try to have LANDB and CCDB moving in this direction. Only if this
happens the investment can be justified.
IT/IS Technical Meeting – January 2002