Transcription
FIREWALLS & NETWORK SECURITY withIntrusion Detection and VPNs, 2nd ed.Chapter 11Setting Up a VirtualPrivate Network
Learning Objectives Explain the components and essential operationsof virtual private networks (VPNs) Describe the different types of VPNs Create VPN setups, such as mesh or hub-andspoke configurations Choose the right tunneling protocol for your VPN Enable secure remote access for individual usersvia a VPN Recommend best practices for effectiveconfiguration and maintenance of VPNsFirewalls & Network Security, 2nd ed. - Chapter 11Slide 2
Introduction Organizations routinely join LANs to facilitatesecure point-to-point communications Private leased lines don’t scale well, utilizecomplex technology, and are expensive VPNs function like private leased lines– Encapsulate and encrypt data being transmitted– Use authentication to ensure only approvedusers gain access VPNs provide secure point-to-pointcommunications over public InternetFirewalls & Network Security, 2nd ed. - Chapter 11Slide 3
VPN Components and Operations VPNs can be set up with special hardware orwith firewall software that includes VPNfunctionality Many firewalls have VPN systems built in Correctly set up VPN can be a criticalcomponent in an organization’s perimetersecurity configuration Goal of VPNs is to provide a cost-effective andsecure way to connect business locations toone another and remote workers to officenetworksFirewalls & Network Security, 2nd ed. - Chapter 11Slide 4
VPN Components VPNs consist of two types of components:– Hardware devices– Software that performs security-related activities VPN tunnels have two endpoints or terminators Endpoints:– Hardware devices or software modules– Encrypt data to secure information– Authenticate to ensure host requesting data is anapproved user– Encapsulate data to protect integrity ofinformation being sentFirewalls & Network Security, 2nd ed. - Chapter 11Slide 5
VPN Components (continued) VPN connection occurs within TCP/IP tunnel Tunnel: channel or pathway of networks usedby VPN that runs through the Internet from oneendpoint to another ―Tunnel‖ can be misleading as it implies:– There is a single cable joining endpoints– Only approved VPN users can utilize that cable In reality, VPN ―tunnel‖ is virtual Using the Internet keeps costs down andsimplifies setup of VPN but can also adduncertainty to communicationsFirewalls & Network Security, 2nd ed. - Chapter 11Slide 6
VPN Components (continued) Endpoint devices can be one of the following:– A server running a tunneling protocol– A VPN appliance (a special hardware devicedevoted to setting up VPN communications)– A firewall/VPN combination– A router-based VPN (routers that support IPSeccan be set up on perimeter of connected LANs) VPN scenario may also include:– Certificate servers: manage certificates– Client computers: run VPN client software,allowing remote users LAN access over the VPNFirewalls & Network Security, 2nd ed. - Chapter 11Slide 7
Essential Activities of VPNs Information transferred via VPN travels over theInternet and must be well protected Essential activities that protect data are:– IP encapsulation– Data payload encryption– Encrypted authenticationFirewalls & Network Security, 2nd ed. - Chapter 11Slide 8
IP Encapsulation Used to protect VPN data packets Process of enclosing one packet within anotherpacket that has different IP source anddestination information Hides source and destination information ofencapsulated packets IP addresses of encapsulated packets can be inthe private reserved blocks that are not usuallyroutable over the InternetFirewalls & Network Security, 2nd ed. - Chapter 11Slide 9
Data Payload Encryption VPNs can be configured to fully or partiallyencrypt data portion of packets Encryption accomplished in one of two ways:– Transport method: host encrypts traffic when it isgenerated; data is encrypted, but not headers– Tunnel method: traffic encrypted and decryptedin transit; both header and data portions ofpackets are encrypted Level of encryption variesFirewalls & Network Security, 2nd ed. - Chapter 11Slide 10
Encrypted Authentication Encryption domain: everything in the protectednetwork and behind the gateway Authentication essential; VPN communicationrecipients must know sender is approved user Hosts authenticated by exchanging keys Two types of keys:– Symmetric keys: keys are the same; hostsexchange same secret key to verify identities– Asymmetric keys: participants have private keyand public key; public keys exchanged; publickey used to encrypt; decrypt using private keyFirewalls & Network Security, 2nd ed. - Chapter 11Slide 11
Benefits and Drawbacks of VPNs Benefits:– Secure networking without costly leased lines– Encryption/translation handled by dedicatedsystems, reducing production machine workload– Allows control of physical setup Drawbacks:– Complex and, if configured improperly, cancreate significant network vulnerabilities– Uses unpredictable and often unreliable Internet– Some vendor solutions have more documentedsecurity issues than othersFirewalls & Network Security, 2nd ed. - Chapter 11Slide 12
VPNs Extend Network Boundaries VPN connections that are ―always on‖ extendyour network to locations out of your control Some suggestions for dealing with increasedrisk presented by these connections:– Use of two or more authentication tools toidentify remote users– Integrate virus protection– Use Network Access Control (NAC)– Set usage limitsFirewalls & Network Security, 2nd ed. - Chapter 11Slide 13
Types of VPNs In general, you can set up two types of VPN:– Site-to-site: links two or more networks– Client-to-site: makes a network accessible toremote users who need dial-in access These two VPN types are not mutually exclusive Options for configuring VPNs:– Hardware systems– Software systems– Hybrids VPNs need to be able to work with any numberof different operating systems or computer typesFirewalls & Network Security, 2nd ed. - Chapter 11Slide 14
VPN Appliances Hardware device specially designed toterminate VPNs and join multiple LANs Can permit connections between large numbersof users or multiple networks Don’t provide other services such as file sharingand printing Some examples include the SonicWALL seriesand the Symantec Firewall/VPN applianceFirewalls & Network Security, 2nd ed. - Chapter 11Slide 15
Software VPN Systems Generally less expensive than hardwaresystems Tend to scale better on fast-growing networks Some examples include F-Secure VPN andNovell’s BorderManager VPN servicesFirewalls & Network Security, 2nd ed. - Chapter 11Slide 16
VPN Combinations of Hardware andSoftware VPN systems may implement VPN appliance atthe central network and use client software atremote end of each VPN connection Most VPN concentrator appliances are capableof operating in one of two modes:– Client mode: concentrator acts as software client,enabling users to connect to other remotenetworks via VPN– Network extension mode: concentrator acts ashardware device enabling secure site-to-siteVPN connectionFirewalls & Network Security, 2nd ed. - Chapter 11Slide 17
Combination VPNs VPN system that is ―mixed‖ uses hardware andsoftware from different vendors Challenge: get all pieces of the system tocommunicate with one another successfully Solution: pick a standard security protocol thatis widely used and supported by all devices,such as IPSecFirewalls & Network Security, 2nd ed. - Chapter 11Slide 18
VPN Setups With two participants in a VPN, configuration isrelatively straightforward in terms of:– Expense– Technical difficulty– Time involved When three or more networks/individuals areconnected, several configuration options exist:– Mesh– Hub-and-spoke– HybridFirewalls & Network Security, 2nd ed. - Chapter 11Slide 19
Mesh Configuration Each participant (network, router, or computer)in the VPN has an approved relationship, calleda security association (SA), with every otherparticipant During VPN configuration, each participant mustbe specifically identified to every otherparticipant using the VPN Before initiating connection, each VPNterminator checks its routing table or SA table toconfirm the other participant has an SA with itFirewalls & Network Security, 2nd ed. - Chapter 11Slide 20
Mesh VPNFirewalls & Network Security, 2nd ed. - Chapter 11Slide 21
Hub-and-Spoke Configuration A single VPN router contains records of all SAsin the VPN Any LANs or computers participating in VPNneed only connect to central server, not to anyother machines in VPN Easy to increase the size of VPN as morebranch offices or computers are addedFirewalls & Network Security, 2nd ed. - Chapter 11Slide 22
Hub-and-Spoke VPNFirewalls & Network Security, 2nd ed. - Chapter 11Slide 23
Hybrid Configuration As organizations grow, mesh or hub-and-spokeVPN designs commonly evolve into a mixture ofthe two Mesh configurations tend to be more efficient;central core linking most important networkbranches should be mesh configuration; otherbranch offices added as spokes connecting toVPN router at central office Hybrid setup benefits from strengths of eachone—scalability of hub-and-spoke and speed ofmeshFirewalls & Network Security, 2nd ed. - Chapter 11Slide 24
Configurations and Extranet andIntranet Access Each VPN endpoint represents extension ofcorporate network to new location—an extranet Same security measures taken to protectcorporate network should be applied to VPNendpoints (firewalls, anti-virus, etc.) VPNs can also be used to give parts oforganization access to other areas throughcorporate intranet VPN users inside organization should haveusage limits, anti-virus, and firewall protection,just as outside users shouldFirewalls & Network Security, 2nd ed. - Chapter 11Slide 25
Tunneling Protocols Used with VPNs In the past, firewalls providing establishment ofVPNs used proprietary protocols Such firewalls could only establish connectionswith remote LANs using same firewall brand Today, widespread acceptance of IPSecprotocol with Internet Key Exchange (IKE)system means proprietary protocols are usedfar less oftenFirewalls & Network Security, 2nd ed. - Chapter 11Slide 26
IPSec/IKE IPSec provides two security methods:– Authenticated Header (AH): authenticatespackets– Encapsulating Security Payload (ESP): encryptsdata portion of packets IPSec can work in two different modes:– Transport mode: provides securecommunications between hosts– Tunnel mode: used to create secure linksbetween two private networksFirewalls & Network Security, 2nd ed. - Chapter 11Slide 27
IPSec/IKE (continued) IPSec/IKE VPN connection process:– 1. Request to establish a connection sent– 2. Remote host generates random number andsends to machine that made original request– 3. Original machine encrypts its pre-shared keyusing random number and sends to remote host– 4. Remote host decrypts key, compares it to itsown pre-shared key or keyring; if key matches,remote host encrypts public key using pre-sharedkey and sends to original machine– 5. Original machine uses public key to establishsecurity association (SA) and VPN connectionFirewalls & Network Security, 2nd ed. - Chapter 11Slide 28
PPTP Point-to-Point Tunneling Protocol (PPTP) Commonly used to connect to a network using adial-in modem connection Uses Microsoft Point-to-Point Encryption(MPPE) to encrypt data Useful if support for older clients is needed Also useful because packets sent can passthrough firewalls that perform Network AddressTranslation (NAT)Firewalls & Network Security, 2nd ed. - Chapter 11Slide 29
L2TP Layer 2 Tunneling Protocol (L2TP) Extension of Point-to-Point Protocol (PPP) Uses IPSec rather than MPPE to encrypt data Provides secure authenticated remote accessby separating connection initiation process fromencapsulated data forwarding processFirewalls & Network Security, 2nd ed. - Chapter 11Slide 30
PPP Over SSL/PPP Over SSH Point-to-Point Protocol (PPP) Over SecureSockets Layer (SSL) and Point-to-Point Protocol(PPP) Over Secure Shell (SSH)– UNIX-based methods for creating VPNs– Combine existing tunnel system (PPP) with wayof encrypting data in transport (SSL or SSH) SSL: public key encryption system used toprovide secure communications over WWW SSH: UNIX secure shell; performs secureauthenticated logons and encryptedcommunications; requires pre-shared keyFirewalls & Network Security, 2nd ed. - Chapter 11Slide 31
VPN Protocols and Their UsesFirewalls & Network Security, 2nd ed. - Chapter 11Slide 32
Enabling Remote Access Connectionswithin VPNs To enable remote user to connect to VPN, usermust be issued VPN client software User’s computer should be equipped with afirewall and anti-virus software Key may need to be obtained for remote user ifIPSec is used to make VPN connection Problems may be encountered finding phoneprovider having dial-up numbers in all locationsFirewalls & Network Security, 2nd ed. - Chapter 11Slide 33
Configuring the Server If firewall-based VPN is used, client computermust be identified Check Point FireWall-1 calls the processdefining a network object Major operating systems incorporate their ownmethods of providing secure remote access Linux uses IP Masquerade feature Windows XP and 2000 include New ConnectionWizardFirewalls & Network Security, 2nd ed. - Chapter 11Slide 34
Configuring Clients Involves installing and configuring VPN clientsoftware or using New Connection Wizard FireWall-1 uses SecuRemote that enablesconnections to hosts or networks via VPN Important issues to consider:– Will client software work with all client platforms– Is client workstation itself firewall protected Because each VPN connection is potentialopening for viruses and hackers, requirementthat remote hosts be protected with firewallsshould be part of organization’s VPN policyFirewalls & Network Security, 2nd ed. - Chapter 11Slide 35
VPN Best Practices Successful operation of VPN depends not onlyon hardware and software components andoverall configuration Also depends on a number of best practices These include:– Security policy rules specific to the VPN– Integration of firewall packet filtering with VPNtraffic– Auditing VPN to ensure acceptable performanceFirewalls & Network Security, 2nd ed. - Chapter 11Slide 36
The Need for a VPN Policy Essential for identifying who can use the VPNand for ensuring all users know what constitutesproper use Can be a separate stand-alone policy or part ofa larger security policy Points to cover include but are not limited to:–––––Who is permitted to have VPN accessWhether authentication is to be used and howWhether split tunneling is permittedHow long users can be connected in one sessionWhether virus protection is includedFirewalls & Network Security, 2nd ed. - Chapter 11Slide 37
Packet Filtering and VPNs Decision must be made early as to where dataencryption and decryption will be performed inrelation to packet filtering Encryption and decryption can occur eitherinside or outside the packet-filtering perimeterFirewalls & Network Security, 2nd ed. - Chapter 11Slide 38
PPTP Filters PPTP commonly used when older clients needto connect to a network through a VPN or whena tunnel must pass through a firewall thatperforms NAT For PPTP traffic to pass through a firewall,packet-filtering rules must permit suchcommunications Incoming PPTP connections on TCP Port 1723 PPTP packets use Generic RoutingEncapsulating (GRE) packets identified byprotocol identification number ID 47Firewalls & Network Security, 2nd ed. - Chapter 11Slide 39
L2TP and IPSec Packet-Filtering Rules L2TP uses IPSec to encrypt traffic as it passesthrough the firewall Packet-filtering rules must be set up that coverIPSec trafficFirewalls & Network Security, 2nd ed. - Chapter 11Slide 40
Auditing and Testing the VPN Each VPN computer client should be tested VPN should be checked to ensure componentreliability and acceptable file transfer rates If parts of network frequently fail, switch ISPs If ISP switch is needed, consider the following:– How often does network go offline?– Are there backup servers to keep customersonline if primary server goes down?– Are there backup power supplies in case of apower outage?– How far is the network backbone?Firewalls & Network Security, 2nd ed. - Chapter 11Slide 41
Chapter Summary VPNs:– Provide secure point-to-point communicationsover the public Internet– Used for e-commerce and telecommuting– Can be set up with special hardware or withfirewall software that includes VPN functionality– Are a critical component in an organization’sperimeter security configurationFirewalls & Network Security, 2nd ed. - Chapter 11Slide 42
Chapter Summary (continued) VPN data travels over public networks andneeds to be well protected Essential data protection activities:– IP encapsulation– Data payload encryption– Encrypted authentication Two different types of VPN:– Site-to-site– Client-to-site The two are not necessarily mutually exclusiveFirewalls & Network Security, 2nd ed. - Chapter 11Slide 43
Chapter Summary (continued) VPN configurations:– Mesh configuration: each participant has anapproved relationship with every other participant– Hub-and-spoke arrangement: single, central VPNrouter contains records of all associations; anyother participants connect only to central server– Hybrid setup: mixture that often evolves from theother configuration types as organization grows Widespread use of IPSec with Internet KeyExchange (IKE) means proprietary protocolsused far less oftenFirewalls & Network Security, 2nd ed. - Chapter 11Slide 44
Chapter Summary (continued) IPSec provides two security methods:– Authenticated Header (AH): authenticatespackets– Encapsulating Security Payload (ESP): encryptsthe data portion of packets Both methods can be used togetherFirewalls & Network Security, 2nd ed. - Chapter 11Slide 45
Chapter Summary (continued) Point-to-Point Tunneling Protocol (PPTP) usedto connect to network using dial-in modem Layer 2 Tunneling Protocol (L2TP) extension ofprotocol long used for dial-up connections onthe Internet, Point-to-Point Protocol (PPP) Point-to-Point Protocol (PPP) Over SecureSockets Layer (SSL) and Point-to-Point Protocol(PPP) Over Secure Shell (SSH)– UNIX-based methods for creating VPNs– Combine existing tunnel system (PPP) with dataencryption in transport (SSL or SSH)Firewalls & Network Security, 2nd ed. - Chapter 11Slide 46
Chapter Summary (continued) To enable remote user to connect to a VPN,issue that user VPN client software Make sure user’s computer has anti-virussoftware and a firewall May need to obtain key for remote user if usingIPSec to make VPN connection VPN best practices include:– Security policy rules specific to the VPN– Integration of firewall packet filtering and VPNtraffic– Auditing VPN to ensure acceptable performanceFirewalls & Network Security, 2nd ed. - Chapter 11Slide 47
Some examples include the SonicWALL series and the Symantec Firewall/VPN appliance Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 15 . . networks via VPN –Network extension mode: concentrator acts as hardware device enabling secure site-to-site VPN connection Firewalls & Network Security, 2nd ed. - Chapter 11 Slide 17 .
