Upload
abhinav-dwivedi
View
41
Download
1
Tags:
Embed Size (px)
Citation preview
What is the Virtual Private Network?
VPN is termed as the connectivity, deployed on a Shared Infrastructure with the same policies and ‘Performance’ as a private Network.
3© 2000, Cisco Systems, Inc. 24001190_05_2000_c2
AgendaAgenda
• VPN Choices—Choosing What’s Right For You
• Understanding the Building Blocks of a VPNSecurity
Platforms
Quality of Service
Network and Service Monitoring
• Next Steps and Real World Deployments
• Q&A
4© 2000, Cisco Systems, Inc. 24001190_05_2000_c2
What Is a VPN?What Is a VPN?
MainOffice
HomeOffice
POP
MobileWorker
BusinessPartner
RemoteOffice
RegionalOffice
Connectivity Deployed on a SharedInfrastructure with the Same Policies and
‘Performance’ as a Private Network
Virtual PrivateNetwork
A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organisation.
The goal of a VPN is to provide the organisation with the same capabilities, but at a much lower cost.
A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunnelling protocols.
In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a “tunnel” that cannot be “entered” by data that is not properly generated.
An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.
Intranet VPN
Extends the connectionless IP model across a shared WAN—> Reduces application development time—> Reduces support costs—>Reduces line costs 13© 2000, Cisco Systems, Inc.
24001190_05_2000_c2
MainOffice
RemoteOffice
RemoteOffice
Service Provider
POP
POP
POPInternet/IP VPNs
VPN Types: Intranet VPNVPN Types: Intranet VPN
• Extends the connectionlessIP model across a shared WAN
Reduces application development timeReduces support costsReduces line costs
14© 2000, Cisco Systems, Inc. 24001190_05_2000_c2
Service Provider
BusinessPartner
SupplierCustomer
MainOffice
POPPOP
POPPOP
POPPOP
RemoteOffice
RemoteOffice
VPN Types: Extranet VPNVPN Types: Extranet VPN
• Extend connectivity to suppliers, customers, and business partners• Over a shared infrastructure• Using dedicated connections• While ensuring proper level of authorized access
Internet/IP VPNs
Extranet VPN
Extends connectivity to suppliers, customers, and business partners.
Over a shared infrastructures.
Using dedicated connections
While ensuring proper level of authorised access
13© 2000, Cisco Systems, Inc. 24001190_05_2000_c2
MainOffice
RemoteOffice
RemoteOffice
Service Provider
POP
POP
POPInternet/IP VPNs
VPN Types: Intranet VPNVPN Types: Intranet VPN
• Extends the connectionlessIP model across a shared WAN
Reduces application development timeReduces support costsReduces line costs
14© 2000, Cisco Systems, Inc. 24001190_05_2000_c2
Service Provider
BusinessPartner
SupplierCustomer
MainOffice
POPPOP
POPPOP
POPPOP
RemoteOffice
RemoteOffice
VPN Types: Extranet VPNVPN Types: Extranet VPN
• Extend connectivity to suppliers, customers, and business partners• Over a shared infrastructure• Using dedicated connections• While ensuring proper level of authorized access
Internet/IP VPNs
Router/Firewall initiated VPN
For site to site connectivity - internets and extranets.
15© 2000, Cisco Systems, Inc. 24001190_05_2000_c2
POP
Internet
Remote Router or Firewall Initiated
POP
IPSecEncrypted
Tunnel
For Site-to-Site Connectivity—Intranets and Extranets
Router/Firewall-Initiated VPNRouter/Firewall-Initiated VPN
16© 2000, Cisco Systems, Inc. 24001190_05_2000_c2
Layer 3Layer 2
Internet VPN IP VPN
Intranet VPNExtranet VPNIntranet VPNExtranet VPN
FR ATM
VPNs Come in Many FlavorsVPNs Come in Many Flavors
Benefits of VPNExtend geographic connectivity
Improve security
Reduce operational costs versus traditional WAN.
Reduce transit time and transportation cost for remote users.
Improve Productivity
Simplify network
Provides global networking opportunities
Easy to configure
Provide telecommuter support
Used to access BLOCKED websites
A well-designed VPN uses several methods for keeping your connection and data secure:
Fire walls
Encryption
Sec
AAA server
VPN uses encryption to provide the data confidentiality. Once connected, the VPN makes use of the tunnelling mechanism to encapsulate encrypted data into a secure tunnel, with openly read headers, which can cross the public networks.
VPN also provides the data integrity check.This is typically performed using a message digest to ensure that the data has not been tampered with during transmission.
VPN Security
FirewallsProvides a strong barrier between your private network and the internet.
You can set firewalls to restrict the numbers of ports, what types of packets are passed through and which protocols are allowed through.
Encryption
Process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode.
IPSec
Internet Protocol Security Protocol (IPSec) provides enhanced security features such as better encryption algorithms and more comprehensive authentication.
Creating Dial up VPN on windows server 2008R2
Conditions:>IP address should be static>firewall should be turned off > computers must be in a network>domain should be built already
Go to server manager, install the RRAS role from the Administrative tools.
Follow the onscreen instructions with a desired choice of options as according you want to build the VPN.
Hacking Attacks
VPN Hijacking is the unauthorised take-over of an established VPN connection from a remote client, and impersonating that client on the connecting network.
Man-in-Middle attacks affect traffic being sent between communicating parties , and can include interception, insertion, deletion, and modification of messages, reflecting messages back at the sender, repaying old messages and redirecting messages.
User AuthenticationBy default, VPN does not provide/enforce strong user authentication. A VPN connection should only be established by an authenticated user. If the authentication is not strong enough to restrict unauthorised access, an unauthorised party could access the connected network and its resources. Most VPN implementations provide limited authentications methods. For example, PAP, used in PPTP, transports both username and password in clear text. A third party could capture this information and use it to gain subsequent access to the network.
Client-Side risksThe VPN client machines of, say, home users may be connected to the Internet via a standard broadband connection while at the same time holding a VPN connection to a private network, using split tunnelling. This may pose a risk to the private network being connected to. A client machine may also be shared with other parties who are not fully aware of the security implications. In addition, a laptop used by a mobile user may be connected to the Internet, a wireless LAN at a hotel, airport or on other foreign networks. However, the security protection in most of these public connection points is inadequate for VPN access. If the VPN client machine is compromised, either before or during the connection, this poses a risk to the connecting network.
Virus/ Malware Infections
A connecting network can be compromised if the client side is infected with a virus. If a virus or spyware infects a client machine, there is chance that the password for the VPN connection might be leaked to an attacker. In the case of an intranet or extranet VPN connection, if one network is infected by a virus or worm, that virus / worm can be spread quickly to other networks if anti-virus protection systems are ineffective.
Conclusion
VPN provides a means of accessing a secure, private, internal network over insecure public networks such as the Internet. A number of VPN technologies have been outlined, among which IPsec and SSL VPN are the most common. Although a secure communication channel can be opened and tunnelled through an insecure network via VPN, client side security should not be overlooked.