Deploy User VPNs - Faculty Personal Homepage
Download
Report
Transcript Deploy User VPNs - Faculty Personal Homepage
Lesson 11-Virtual Private
Networks
Overview
Define Virtual Private Networks (VPNs).
Deploy User VPNs.
Deploy Site VPNs.
Understand standard VPN techniques.
Understand the types of VPN systems.
Define Virtual Private
Networks
Characteristics of VPNs:
Traffic is encrypted to prevent eavesdropping.
The remote site is authenticated.
Multiple protocols are supported over the VPN.
The connection is point to point.
Define Virtual Private
Networks
To access a central server, VPNs may require authentication
or that both ends of the VPN authenticate each other.
VPNs can handle various protocols, especially application
layer protocols.
Each VPN channel is distinct and uses encryption to
separate traffic.
There are two types of VPNs, user VPNs and site VPNs.
Deploy User VPNs
VPNs between individual users’ machines and an
organization’s site or network are called User VPNs.
User VPNs are used for employees who either travel or
telecommute.
The VPN server may either be the organization’s firewall or
a separate VPN server.
Deploy User VPNs
While establishing a VPN, the site will request user
authentication.
On successful authentication, the user is allowed to access
the internal network.
Although the user has a VPN connection back to the
organization, they still have access to the Internet.
Deploy User VPNs
Benefits of User VPNs.
Issues with User VPNs.
Managing User VPNs.
Benefits of User VPNs
Employees who are traveling can access e-mail, files, and
internal systems without expensive equipment.
Employees working from home can access the network’s
services, just as employees working from within the
organization’s facilities.
Issues with User VPNs
User VPNs, if optimally utilized, can reduce an
organization’s costs.
Significant security risks and implementation issues must
be addressed.
The largest concern for security is the employee’s
simultaneous connection to the Internet. The risk of
malicious code being sent through the computer is high.
Issues with User VPNs
Use of Trojan horse program to access an
organization’s internal network.
Issues with User VPNs
User VPNs require paying the same attention to user
management issues as internal systems.
The use of a two-factor authentication process is
recommended, since VPN permits access to internal
resources.
Additional support for VPN users must include a personal
firewall and updated anti-virus software to protect the
internal network.
Managing User VPNs
Managing user VPNs is primarily an issue of managing the
users and their computer systems.
The appropriate user management procedures should be in
place and followed during employee separation.
A good anti-virus software package must be installed on the
user’s computer.
Deploy Site VPNs
Site VPNs allow organizations to connect locations without
the cost of expensive leased lines.
Site VPNs authenticate each other with the use of
certificates or shared secrets.
Site VPNs save costs.
Deploy Site VPNs
Issues:
Policies and restrictions allow the organization to limit what a
remote site can access or do once connected.
VPNs are an extension of the company’s sites. A weak remote
site is a risk, as it allows an intruder to access the internal
network.
A coherent and logical IP addressing scheme should be used
for all sites.
Deploy Site VPNs
Managing site VPNs:
Monitoring the site ensures smooth communication between
the sites and compliance with the policies.
Routes to remote sites will need to be created on the internal
network. They should be well documented to ensure that they
are not deleted.
Understand Standard VPN
Techniques
A VPN comprises four key components:
VPN server
Encryption algorithms
Authentication system
VPN protocol
Understand Standard VPN
Techniques
A proper VPN architecture depends on properly identifying its
requirements, including:
The length of time for which information should be protected.
The number of simultaneous user connections.
The types of user connection expected.
Understand Standard VPN
Techniques
A proper VPN architecture depends on properly identifying
its requirements, including (continued):
The number of remote site connections.
The types of VPNs that will need to connect.
The amount of traffic to and from remote sites.
The security policy governing the security configuration.
VPN Server
The VPN server is the computer system that acts as the end
for the VPN.
Most VPN software vendors should be able to provide a
recommended processor speed and memory configuration
based on the number of simultaneous VPN connections.
Some vendors also provide a means of fail-over and allow
for redundant VPN servers.
VPN Server
Firewall policy rules including a VPN DMZ
Encryption Algorithms
The encryption used on the VPN should be a well-known,
strong algorithm.
If an intruder successfully intercepts a VPN communication,
it indicates that they:
Must have a sniffer on the path traveled by the packets, which
captures the entire session.
Have substantial computing power to brute-force the key and
decrypt it.
Authentication System
The VPN authentication system should be a two-factor
system.
Users can be authenticated either by what they are, have
or know.
Smart cards with a PIN or password are a good two-factor
combination for authenticating users.
If an organization chooses to use only passwords for the
VPN, they should be strong and changed on a regular basis.
VPN Protocol
In general, a standard protocol versus a proprietary
protocol should be used with VPN. IPSec is the current
standard for VPN.
The primary alternative to IPSec is SSL (Secure Socket
Layer).
Understand the Types of VPN
Systems
The primary types of VPN systems are:
Hardware systems
Software systems
Web-based systems
Hardware Systems
A hardware appliance should be used as the VPN server.
This appliance runs the manufacturer’s software and may
include some special hardware to improve the encryption
capability of the system.
Hardware Systems
Benefits are:
Speed: The hardware is most likely optimized to support the
VPN and thus will provide a speed advantage over a generalpurpose computer system.
Increased capacity: This translates into an ability to handle a
greater number of simultaneous VPN connections.
Security: If the hardware appliance has been specifically built
for the VPN application, all extraneous software and processes
must be removed from the system.
Software Systems
Software VPNs are loaded on a general-purpose computer
system.
They may be either installed on a system dedicated to the
VPN or in conjunction with other software, such as a
firewall.
Software VPNs can be used in the same manner as the
hardware VPNs. Software is available for handling user VPNs
as well as site VPNs.
Web-based Systems
Using web-based VPNs does not require software to be
loaded on the client, thus decreasing the administrative and
managerial workload.
Web-based VPNs are limited to what applications can be
used and how the client connects to them.
Summary
VPNs may require authentication to access a central server
or that both VPN ends authenticate each other.
There are two types of VPNs: user VPNs and site VPNs.
While establishing a VPN, the site will request user
authentication. Successful authentication allows the user to
access the internal network.
Although the user has a VPN connection back to the
organization, they still have access to the Internet.