Transcript Module 10: Providing Secure Access to Remote Offices

Module 10: Providing
Secure Access to Remote
Offices
Overview

Defining Private and Public Networks

Securing Connections Using Routers

Securing VPN Connections Between Remote Offices

Identifying Security Requirements

Medium and large-sized organizations often create an
intranet to connect remote offices. You can connect
remote offices by using either a private network or a
public network.
Regardless of the connection method used, the data
transmitted over a network is vulnerable to
unauthorized monitoring and access. Microsoft®
Windows® 2000 provides a number of security features
that you can use to secure data that is transmitted
between remote offices over a private or public network.
At the end of this module, you will be able to:

Describe the difference between a private network and a
public network.

Plan a secure connection between two remote networks
by using routers.

Plan a secure connection between two remote networks
by using a virtual private network (VPN).

Identify the security requirements that must be
considered while planning secure connections between
remote offices.
Defining Private and Public Networks
Dedicated Connection
Private Networks
Seattle
Private Networks
Tokyo
Internet
Public Networks
Seattle
Tokyo

You can connect remote office networks by using a
dedicated private network, or by using a shared public
network, such as the Internet. When selecting a remote
connection, evaluate the potential risks involved in
exposing transmitted data on a network, in addition to
the usage costs associated with each type of network.
 Securing Connections Using Routers

Introducing Router Security

Using a Windows 2000–based Router
In this lesson you will learn about the following topics:

Introducing a router security

Using a Windows 2000-based router

A router is a device that forwards packets from one
network to another. You can use a router's security
features, such as packet filtering, authentication, and
encryption, to transmit data securely between remote
offices.
To provide network connectivity between remote offices
and your network, you can use a hardware-based router,
configure a Windows 2000-based server as a router, or
use a combination of both.
Introducing Router Security
Seattle
Router
Encryption
Router
Packet Filtering
Mutual Authentication
Tokyo

A router is the first point of entry for data that is
transmitted into a network. Most routers can provide
network security by filtering packets, providing
authentication services, and encrypting data.
Packet Filtering

You can use routers to set conditions (called rules)
regarding how packets are sent and received on a
network. Rules can be set to block packets from
specific users, from specific networks, for specific
types of protocols, or to specific ports.
Mutual Authentication

Routers may also provide mutual authentication
services to validate a connection between two routers.
Router validation prevents an unauthorized router from
establishing a connection to a router on an
organization's private network. For example, in a
demand-dial routing connection, a calling router at a
remote office authenticates itself to an answering router
at another remote office. Then, through mutual
authentication, the answering router authenticates itself
to the calling router.
Encryption

You can use an encrypting router to guarantee the
confidentiality of transmitted data. An encrypting router
accepts unencrypted data from the internal network
and, based on the routing destination, determines
whether the packet is to be encrypted. If the data is
transmitted through an unsecured portion of the
network, the router encrypts the data. The receiving
router decrypts the data and forwards it to the
destination host.
Using a Windows 2000–based Router
Windows 2000-based
Router
Corporate
Office
Windows 2000-based
Router
Internet
Remote
Offices

Network Address Translation

IP Packet Filtering

Virtual Private Network
Windows 2000-based
Router

As an alternative to purchasing dedicated router
hardware, you can configure a Windows 2000-based
server as a router by installing Routing and Remote
Access. A Windows 2000-based router can provide
security features, such as network address translation
(NAT), Internet Protocol (IP) packet filtering, and the use
of a VPN.
Network Address Translation

NAT translates private IP addresses, defined in RFC
1918, into public IP addresses for traffic to and from the
Internet. The translation process keeps the internal
network secure from the Internet by not exposing the
internal network addressing scheme to the public. NAT
also saves the remote office administrator the time and
expense of obtaining and maintaining a public address
range.
IP Packet Filtering

IP packet filtering can filter specific types of IP traffic. IP
packet filtering provides a way for a network
administrator to precisely define the IP traffic that is
secured, blocked, or passed through the router. For
example, you can set up filters on a dedicated Web
server to process only Web-based Transmission Control
Protocol (TCP) traffic (TCP port 80).
Virtual Private Network

A VPN enables secure communications between two
offices by emulating the properties of a point-to-point
private connection. In a router-to-router VPN
connection, data transmitted between private networks
is encrypted by default.
Note: When configuring a Windows 2000-based server
as a router in a high-security network, it is a good
design strategy to make the server a dedicated IP router.
Services installed on the same server can potentially be
exposed to public access.
 Securing VPN Connections Between Remote
Offices
Virtual Private Network
Tunnel

Connecting Remote Offices over Private Networks

Connecting Remote Offices over Public Networks

Selecting a Tunneling Protocol

VPNs provide a secure method of connecting two
remote offices over a private or public network. VPN
connections work by creating a virtual circuit, or tunnel,
between the routers located at each remote office
network. In a router-to-router VPN connection, the data
that is transmitted between the private networks is
encrypted by default.

In this lesson you will learn when securing remote office
connections by using VPNs that you must:



Identify the scenarios in which VPN can be used to
secure connections between two networks within a
private intranet.
Identify the scenarios in which VPNs can be used to
secure connections between two remote offices over the
public Internet.
Determine which tunneling protocol to use for a VPN
connection.
Connecting Remote Offices over Private Networks
Windows
2000–based
Routers
VPN Tunnel
HR Seattle
HR Tokyo

VPN connections can restrict access to information
within an organization's intranet. For example, you can
use a VPN to connect to a secure server or to provide a
secure connection between two internal networks. You
can also establish a VPN connection over a private
network by using dial-up or dedicated leased lines.

A router-to-router VPN connection can provide a secure
connection between two internal networks. For example,
consider a Human Resources (HR) department with
users located in two different cities. The users need to
securely exchange information over the organization's
intranet. In this case, you would configure a VPN server
on both networks and establish a secure connection
between the two VPN servers. All data transmitted
between the two networks is encrypted by default.
Connecting Remote Offices over Public Networks
Seattle
ISP
Internet
ISP
Tokyo

VPN connections can secure the exchange of
information between two remote networks over the
Internet. An Internet-based VPN connection is
established by creating a tunnel between the routers
located at each remote office.

For example, a corporate office and a branch office in an
organization can be securely connected over the
Internet by creating a router-to-router VPN connection
between the two offices. To create a router-to-router
VPN connection, you connect each VPN router to a local
ISP. You can then establish a VPN connection between
the two networks. The connection between the VPN
router and the ISP can be a demand-dial connection or a
dedicated connection.
Selecting a Tunneling Protocol
Features
Tunneling Protocol
PPTP
Support for NAT
X
User Authentication
X
Machine Authentication
Multi-Protocol Support
X
Stronger Security
Support for Non–Windows 2000–
based Clients
X
L2TP/
IPSec
IPSec
Tunnel Mode
X
X
X
X
X
X
X

Point-to-Point Tunneling Protocol (PPTP), Layer Two
Tunneling Protocol over Internet Protocol Security
(L2TP/IPSec), and IPSec tunnel mode are three standard
authentication and encryption protocols used to protect
data transmitted over public or private networks. The
type of protocol that you choose will depend on your
network configuration and the security needs of your
organization.
PPTP

PPTP tunnels encrypt transmitted data by using
Microsoft Point-to-Point Encryption (MPPE). MPPE can
use 40-bit, 56-bit, or 128-bit encryption keys. The 40-bit
key provides backward compatibility with client
computers that are not using Windows 2000.
Specify PPTP if:

Data transmissions must pass through a NAT server.

Network clients run Microsoft Windows NT® version 4.0 or Microsoft
Windows 98.

Network routers do not support L2TP/IPSec.

User-based authentication is sufficient, and you do not require the
added security of machine-based authentication.

A machine-based certificate infrastructure, such as Kerberos version
5 or Public Key Infrastructure (PKI), does not exist.

Note: 128-bit encryption is subject to import and export laws that can
vary by government. For more information, refer to local government
regulations.
L2TP over IPSec

L2TP transmissions are protected by using the IPSec
protocol to encrypt transmitted data. IPSec can use 40bit Data Encryption Standard (DES), 56-bit DES, or Triple
DES (3DES) encryption algorithms. IPSec can use
Kerberos V5 authentication, public key certificates, or a
secret shared key to establish a secure connection
between two computers.
Use L2TP/IPSec if:

You need stronger security than PPTP provides.

You require the added security of machine-based
authentication but want to maintain user authentication.

Note: 3DES provides the strongest level of security;
however, using this encryption algorithm can increase
the processing requirements for all computers that are
configured to 3DES. 3DES is also subject to import and
export laws that regulate encryption technology.
IPSec Tunnel Mode

IPSec tunnel mode uses Encapsulated Security Payloads (ESPs) to
encrypt traffic. IPSec tunnel mode encrypts all traffic transmitted
between the client and server systems as it traverses between the
two endpoints of the tunnel. Data is decrypted when it reaches the
endpoint nearest the destination computer. IPSec tunnel mode is
best deployed in the following circumstances:


You need to interoperate with other routers or gateways that do not
support L2TP/IPSec or PPTP VPN tunneling technology.
You do not require user authentication of the two endpoints involved in
the IPSec tunnel.

You will only be sending IP traffic to and from the remote offices.

You need stronger security than the security provided by PPTP.

You require the added security of machine-based authentication.
Identifying Security Requirements
Step 1: Determine What Must Be Secured
Step 2: Determine the Level of Security to Apply
Step 3: Determine Encryption Requirements

Before designing a security plan for connecting remote
offices, you must first identify the security requirements
for the data transmitted to and from the remote offices.
To identify security requirements, begin by determining
the data path and network devices used to transmit
secure information; then decide the level of security that
you want to implement; and finally, determine the
encryption requirements.
Step 1: Determine What Must Be Secured

Determine the complete path that sensitive data will
travel as it is transmitted between two hosts on a
network. Establishing the data path will help you
identify the routers, computers, and other devices that
you must configure to secure data transmissions.
Step 2: Determine the Level of Security to Apply

Determine whether you need to secure the data for
integrity, confidentiality, or both. The level and type of
security applied to the data depends on the type of
information that is being sent across the network.
Step 3: Determine Encryption Requirements

Determine whether all routers, servers, and
workstations support the authentication and encryption
methods that you have selected. To reduce the
processing requirements for all computers that are
configured to encrypt data, use the minimum level of
encryption required.
Lab A: Planning Secure Connections for Remote
Offices
Objectives
After completing this lab, you will be able to:

Determine the appropriate tunneling solution to connect
remote offices to a network.
Prerequisites
Before working on this lab, you must have:

Knowledge of the different methods available for
connecting remote offices across public or private
networks.

Knowledge of VPN tunneling concepts and the
differences between various authentication and
encryption methods.

In this lab, you will plan secure connections for remote
offices, and suggest a design strategy for connecting
two private networks by using the Internet.
Review the scenario and the design criteria, and then
answer the questions at the end of the exercise.
Exercise 1: Planning a VPN Tunneling Strategy for a
Small Remote Office

Scenario
Northwind Traders needs to establish a secure remote
access connection between the networks in its
corporate office and its Miami office. The two networks
are connected to the Internet by using an Integrated
Services Digital Network (ISDN) connection. The
connection between the corporate network and the
Miami office is configured as shown below:
The Miami and corporate offices are configured as follows:

All computers at the Miami office access the Internet
through a Windows 2000-based server running Routing
and Remote Access.

All IP address settings for client computers at the Miami
office are configured by using NAT, which is configured
on the Windows 2000-based server running Routing and
Remote Access.

The tunnel server at the corporate office is located
behind an external firewall that performs NAT.
Criteria
The network design must meet the following conditions:

Users who use Windows 2000-based computers at the
Miami office need access to servers at the corporate
office.

All data sent over the Internet must be protected by
using the strongest encryption method possible.
Exercise 2: Selecting a Tunnel Solution Based on
Network Configuration

Scenario
Northwind Traders has opened a new remote office in
New Jersey, and needs to determine the best method of
connecting the New Jersey office network to the
corporate network. Currently, the corporate office
connects to the Internet by using a T3 line, and the New
Jersey office connects to the Internet by using a
fractional T1 connection. The connection between the
corporate network and the New Jersey office is
configured as shown below:
The New Jersey office and the corporate office are configured as
follows:

All computers at the New Jersey office access the corporate office by
using a hardware-based router.

The hardware-based router at the New Jersey office supports IPSec.

The external IP address of the router at the New Jersey office is
131.107.100.1.

The internal addresses assigned at the New Jersey office are
protected by NAT implemented at the hardware-based router.

The tunnel server at the corporate office is located within a screened
subnet between the corporate office network and the Internet.

The external firewall does not perform NAT.

The IP address of the tunnel server at the corporate office is
131.107.2.23.

The external IP address of the external firewall is 131.107.1.1.
Criteria
The network design must meet the following conditions:

All data sent over the Internet must be protected by
using the strongest encryption method possible.

The encryption solution must be interoperable with the
hardware-based router at the New Jersey office.

The corporate office must ensure that only the router at
the New Jersey office can connect to the tunnel server
at the corporate office.
Review

Defining Private and Public Networks

Securing Connections Using Routers

Securing VPN Connections Between Remote Offices

Identifying Security Requirements