VIRTUAL PRIVATE NETWORKING.pdf

Department of Computing, Communications Technology and Mathematics

Final Year Project Report Submitted in partial fulfilment of the requirements of the degree of Bachelor of Science with Honours of

the London Metropolitan University

VIRTUAL PRIVATE NETWORKING

IMPLEMENTATION FOR

SUN INFOSYS LTD.

By

Rashid Khan May 2005 ID: 03020935

Supervisor: Professor Algirdas Pakstas

Author: Rashid Khan 1

ABSTRACT

This project will provide an introduction, research, theory, analysis, solutions & real

time implementation and study of Virtual Private Networking for Sun Infosys Ltd. It

also will provide a structure of content of this document. It will consist of various

concepts, theories and main terminology to understand and implement a Virtual

Private Network.

Chapter 1 (Introduction) will explain the introduction of the project proposal and

project implementation and a presentation in front of students and teachers after the

submission of this documentation. The presentation will clarify; demonstrate the

understanding of this project the actual implementation of this project by myself, and

to see through to implementation of this project.

Chapter 2 (Project Proposal) this is the project proposal report completed in the

previous module and detailed in theory how best to implement this project.

In this Chapter 3 (Literature Search) I will also be using the relevant literature

research, to justify some of the aims and objectives.

Chapter 4 (Project Plan) Here I discuss the project plan which is to examine how

and what I would like to implement.

Chapter 5 (Investigation and Result) This section describes the details of the

experiments or investigations carried out.

Chapter 6 (A critical appraisal of the work done) This section examines the project

in its entirety with a critique of what is achieved, discussion of problems encountered,

examination of the validity of the method chosen to solve the problem, etc.


Chapter 7 (Conclusion) This chapter states the purpose of the work and involves a

concise summary of the project.

Chapter 8 (Suggestions for further work) Here I discussed how I could have

improved things.

Chapter 9 contains the References.

Chapter 10 contains the Appendix.


CONTENTS

Chapter 1 - INTRODUCTION……………………………………….…………………6

1.1 What the Project is about……………………………………………………………...6

1.2 Organisational Structure………………………………………………………............7

Chapter 2 - THE PROJECT PROPOSAL……………………………………………..9

2.1 Background Information on the company……………………………………………10

2.2 The UNIX based solution………………………………………………………….…12

2.3 The Windows Based solution……………………………………………………...…13

Chapter 3 - THE LITERATURE SEARCH…………………..15

3.1 What is VPN? …………………………………………………………………….…16

3.2 What Makes a VPN? ……………………………………………………………..…17

3.3 Types of VPN………………………………………………………….………….…18

3.4 Remote-Access VPN…………………………………………………...……………18

3.5 Site-to-Site VPN……………………………………………………….………….…20

3.6 Extranet VPN…………………………………………………………………..….…22

3.7 VPN Security…………………………………………………………………..….…23

3.8 Firewalls……………………………………………………………………….….…24

3.9 Encryption………………………………………………………………………...…25

3.10 IPSec…………………………………………………………………………….…26

3.11 AAA Servers…………………………………………………………………….…28

3.12 VPN Technologies…………………………………………………………………29

3.13 VPN Concentrator…………………………………………………………………29

3.14 VPN-Optimized Router……………………………………………………………30

3.15 Cisco Secure PIX Firewall…………………………………………………………30

3.16 Tunnelling……………………………………………………………………….…30

3.17 Carrier protocol………………………………………………………………….…31

3.18 Encapsulating protocol…………………………………………………………..…31

3.19 Passenger protocol……………………………………………………………….…31

3.20 Tunneling: Site-to-Site………………………………………………………..……32

3.21 Tunnelling: Remote-Access…………………………………………………..……32

3.22 L2F (Layer 2 Forwarding) ……………………………………………………....…32

3.23 PPTP (Point-to-Point Tunneling Protocol) …………………………………...……33

3.24 L2TP (Layer 2 Tunneling Protocol) ………………………………………….……33

3.25 MPLS…………………………………………………………………………….…34


Chapter 4 - PROJECT PLAN………………………………………………………....38

4.1 Step1……………………………………………………………………………….…38

4.1 Step2…………………………………………………………………….……………39

4.1 Step3……………………………………………………………………………….…39

Chapter 5 - INVESTIGATION AND RESULT…………………………………...…41

5.1 VPN using hardware based tools and technologies………………………………….42

5.2 VPN using software based tools and technologies…………………………….…….42

5.3 Protocol Selection…………………………………………………………...……….42

5.4 Performance needs…………………………………………………………………..43

5.5 IP Address Planning………………………………………………………………....43

5.6 ISP Evaluation……………………………………………………………………….44

5.7 Installing & configuring ISA Server 2000…………………………………………..44

Chapter 6 - CRITICAL APPRAISAL OF THE WORK DONE……………………45

Chapter 7 - CONCLUSION…………………………………………………………...46

Chapter 8 - SUGGESTIONS FOR FURTHER WORK……………………………..49

REFERENCES……………………………………………………………………………....51

APPENDICES………………………………………………………………………………..55

APPENDIX A – Implementation – Installing Windows Server 2003……………..……56

APPENDIX B – Implementation – Installing ISA Server 2000………………………...63

APPENDIX C – Implementation – Installing ISA Server Service Pack 1…………...…74

APPENDIX D – Implementation – Installing Hotfix isahf255.exe……………………..77

APPENDIX E – Implementation – Installing Feature Pack 1…………………………...80

APPENDIX F – Implementation – Configuring the ISA Server 2000/VPN Server…….82

APPENDIX G – Implementation – Connecting to the VPN…………………………...100


ACKNOWLEDGEMENTS I would like to thank the following people, without their help the completion of this project was not possible.

• Special thanks to Peter Chalk, for all this help, guidance and encouragement.

• Mr. Sri Adam for letting me implement this project in his organization.

• All my friends and family, for their help, support and suggestions.

• All the final year BSc. Computer Networking students for their feedback about this report.

• Any one who helped me whether knowingly or unknowingly, willingly or

unwillingly, directly or indirectly.


Virtual Private Networking – Introduction

Chapter 1 - Introduction

1.1 What the Project is about

This project is about the Virtual Private Network technology and its implementation

in a real work environment. This is the final year project implementation by me, I am

a final year undergraduate student in BSc Hons. Computer Networking. The chosen

topic for this project is Virtual Private Network implementation for Sun InfoSys Ltd.

http://www.suninfosys.co.uk/

Sun InfoSys Ltd. has a business of CCTV systems. Sun InfoSys Ltd. is established by

I.T and Security experts to provide total security solutions to retail business market.

They provide security systems by integrating Information Technology with their

digital and analogue CCTV systems. Sun InfoSys is the supplier and installer of

various hardware (i.e. Computers, Printers, Point of Sale systems, Digital Internet

enabled CCTV systems and software and hardware (All types of software needed by

EPOS, CCTV, Client business) for retail business in the UK.

The company's aim is to add value in all areas of its involvement with customers

whether simply offering technical support, single hardware components or efficient

security monitoring systems in the form of digital CCTV systems. They also provide

24 hours digital CCTV remote monitoring facility.




1.2 ORGANIZATIONAL STRUCTURE

Name of Organisation: Sun InfoSys Ltd.

Address: No 8, Exmouth Rd. London, e17 7qq.

Telephone & Fax numbers: Tel: 0870 609 2363

Name of Managing Director: Mr. Sri Adam

Managing Director

Sales Accounts

Warehouse

Technical Support

Customer Services

The motivation behind this project for me is not only to enhance my knowledge of a

complex but very rewarding and currently hot technology of Virtual Private

Networking for an existing company called Sun InfoSys Ltd., but to actually

implement this project in that company. This can bear fruit for me in the form of

possible future job prospect in this company. I had to be able to liaise with the staff

and establish a nice rapport with them.

Furthermore In this project, I will also be developing an online website covering this

report that will be available with this documentation and will publish the web address

within the conclusion of this report.

Previously I actually have worked for several years as a Network Engineer in Pakistan

for several companies and have actually designed, deployed, managed and trouble-

shooted complex networks.



I have also worked as a web developer and developed several websites for clients in

Pakistan. Clearly I have great interest in the field of Networking and this is the sole

reason for me taking up this degree to further my knowledge and career within this

field.


Virtual Private Networking – Project Proposal

Chapter 2 - The Project Proposal

2.1 Background Information on the company:

Sun Infosys Ltd. http://www.suninfosys.co.uk/ has a business of not only computer

hardware but software and CCTV systems as well. Because of the varied systems

there was a need for convergence and also availability so that the resources can be

tapped and checked from virtually everywhere as the sales team and director is mostly

mobile. This need coupled with the popularity of VPN systems gave me a chance to

offer myself for this project and offer a solution to their problems. Sun Infosys Ltd.

gladly accepted my offer.

The aims and objectives of this project is that to make proposals and then implement a

suitable proposal that will allow me to investigate the best method and solution of

implementing a Virtual Private Network for Sun InfoSys Ltd. between its Head

Office, Branch office and to provide connectivity to its Managing Director, Sales

team various Installers and Site Engineers requiring access to various resources.

Sun InfoSys Ltd. is established by I.T and Security experts to provide total solutions

to retail business market. Probably Sun InfoSys Ltd. is the only one which provides

total security systems by integrating with I.T Sun Infosys is the supplier and installer

of various hardware (i.e. Computers, Printers, Point of Sale systems, Digital Internet

enabled CCTV systems and software and hardware (All types of software needed by

EPOS, CCTV, Client business) for retail business in the UK.

The company’s aim is to add value in all areas of its involvement with customers

whether simply offering technical support, single hardware components or efficient

planning of a large systems integration and installation programme.




By making a Virtual Private Network system, I plan to cater to the company’s current

need of providing connectivity to its essential resources as the Managing Director Mr.

S. Peter Andy is always on the move and needs to connect to the company resources

from various national and international venues such as UK and Taiwan when doing

meetings & presentations with his suppliers in Taiwan. He needs to be able to have up

to the minute data about stocks, current requirements, current problems and sales

figures.

The company has a head office in the following location:

Head Office: No 8, Exmouth Rd. London, e17 7qq.

And also has a branch office in the following location:

Branch Office: No 772-776, Romford Rd., London e12.

The sales team need to commute to various organizations to give presentations and

also to convince potential clients, they frequently require on the move connections to

resources such as sales figures, Sage, presentations, Technical Date and live demos

and IP Based demonstrations if their digital CCTV systems.

The Support team and various installers and engineers require on the move access to

technical resources, software, patches, and contact information from the company &

Sage and when visiting client locations varied anywhere in London currently.

In light of the above data and information give to me, I propose a Virtual Private

Network solution. This solution can be delivered under a UNIX system or on a

Microsoft Windows based system.



2.2 The UNIX based solution entitles the following to be done: Installation and configuration of a LINUX box (server). Installation of LINUX

FreeS/WAN. LINUX FreeS/WAN is an implementation of IPSEC & IKE for Linux.

The abbreviation “IPSEC” stands for Internet Protocol SECurity. It uses strong

cryptography to offer both authentication and encryption services. The reason for

Authentication is that it ensures that packets are from the right sender and have not

been altered in transfer. The purpose of Encryption is that it prevents unauthorised

reading of packet contents. Hence proving even better security.

These services enable to build secure tunnels through untrustworthy and unreliable

networks. Everything that passes through the untrusted network is encrypted by the

IPSEC gateway machine and decrypted by the gateway at the other end. This results

in forming a Virtual Private Network or VPN, a network which is effectively private

even though it includes machines at several different sites connected by the insecure

and public Internet.

The IPSEC protocols were developed by the IETF (Internet Engineering Task Force)

and will be required as part of the next generation IPV or IPVersion 6. They are also

being widely implemented for IP V4. In particular, nearly all vendors of any type of

firewall or security software have IPSEC support either shipping or in development.

There are also several open source IPSEC projects. Several companies are co-

operating in the Secure Wide Area Network (S/WAN) project to ensure that products

will interoperate. There is also a VPN Consortium fostering cooperation among

companies in this area.

The LINUX / FreeS/WAN solution requires basic knowledge of LINUX and a

moderate knowledge of networking protocols.



There are three popular authentication methods that are being supported by LINUX

based FreeS/WAN:

RAW RSA keys - for FreeS/WAN to FreeS/WAN connections only.

A raw RSA key is literally a long string of alphanumeric characters,

which is the encoding of either a public or private key. The public and

private keys go together, so that with the private key the owner can

“validate” the public key.

X.509 certificates (which are essentially RSA keys in a glorified format)

The X.509 certificates are the same encryption scheme as raw RSA

keys, but use certificates. This allows a trust-inheritance scheme, and

also the certificates themselves contain useful supporting information.

The actual representation of a certificate is a file, and can be encoded

in many different ways (plain-text, binary or combinations of the two)

for example: - PEM, base64, pkcs12, etc.

PSKs (Pre-shared secret keys).

PSK’s are not very secure at all. They are simply non-encrypted

passphrases stored in plain-text, eg “my_secret_password”. They help

get a connection set up if easy authentication is to be used (they are the

easiest of any of these three to set up), but are insecure and should not

be used in the long run.

Hardware Requirements for LINUX FreeS/WAN solution:

The hardware requirements are pretty basic. A 32-bit machine capable of running

Linux, with two NICs (network interface cards; one is connected towards the internet,

the other is connected to the “clients”).



2.3 The Windows Based solution consists of the following: Requirements: A Windows based Server operating system ideally Windows Server

2003 and Microsoft ISA Server 2000.

Hardware requirements for Windows Server 2003 / ISA Server 2000 solution:

Computer and processor:

PC with a 133-MHz processor required; 550-MHz or faster processor recommended

Memory:

128 MB of RAM required; 256 MB or more recommended; 4 GB maximum

Hard disk:

1.25 to 2 GB of available hard-disk space

Drive:

CD-ROM or DVD-ROM drive

Display:

VGA or hardware that supports console redirection required; Super VGA supporting

800 x 600 or higher-resolution monitor recommended


Virtual Private Networking – Literature Search

Chapter 3 - Literature Search

Hence I have accumulated key topics for research for Virtual Private Networking:

3.1 What is VPN?

3.2 What Makes a VPN?

3.3 Types of VPN

3.4 Remote-Access VPN

3.5 Site-to-Site VPN

3.6 Extranet VPN

3.7 VPN Security

3.8 Firewalls

3.9 Encryption

3.10 IPSec

3.11 AAA Servers

3.12 VPN Technologies

3.13 VPN Concentrator

3.14 VPN-Optimized Router

3.15 Cisco Secure PIX Firewall

3.16 Tunnelling

3.17 Carrier protocol

3.18 Encapsulating protocol

3.19 Passenger protocol

3.20 Tunneling: Site-to-Site

3.21 Tunnelling: Remote-Access

3.22 L2F (Layer 2 Forwarding)

3.23 PPTP (Point-to-Point Tunneling Protocol)

3.24 L2TP (Layer 2 Tunneling Protocol)

3.25 MPLS



3.1 What is VPN? A VPN is a generic term that describes any combination of technologies that

can be used to secure a connection through an otherwise unsecured or

untrusted network.

Cisco Definition: http://www.cisco.com/warp/public/779/largeent/design/vpn.html [VPN is one of the most used words in networking today and has many

different meanings.

The broadest definition of a VPN is 'any network built upon a public network

and partitioned for use by individual customers'. This results in public frame

relay, X.25, and ATM networks being considered as VPNs. These types of

VPNs are generically referred to a Layer 2 VPNs. The emerging forms of

VPNs are networks constructed across shared IP backbones, referred to as 'IP

VPNs'. ]

Definition by VPN Consortium: http://www.vpnc.org/vpn-technologies.html

[ A virtual private network (VPN) is a private data network that makes use of

the public telecommunication infrastructure, maintaining privacy through the

use of a tunneling protocol and security procedures. A virtual private network

can be contrasted with a system of owned or leased lines that can only be used

by one company. The main purpose of a VPN is to give the company the same

capabilities As private leased lines at much lower cost by using the shared

public Infrastructure. Phone companies have provided private shared resources

for voice messages for over a decade. A virtual private network makes it

possible to have the same protected sharing of public resources for data.


http://www.cisco.com/warp/public/779/largeent/design/vpn.html

http://www.vpnc.org/vpn-technologies.html


Companies today are looking at using a private virtual network for both

extranets and wide-area intranets. ]

My Definition: Basically a VPN is a private network that uses a public network (usually the

Internet) to connect remote sites or users together. Instead of using a

dedicated, real-world connection such as leased line, a VPN uses "virtual"

connections routed through the Internet from the company's private network to

the remote site or employee.

3.2 What Makes a VPN? A well-designed VPN can greatly benefit a company. For example, it can:

• Extend geographic connectivity

• Improve security

• Reduce operational costs versus traditional WAN

• Reduce transit time and transportation costs for remote users

• Improve productivity

• Simplify network topology

• Provide global networking opportunities

• Provide telecommuter support

• Provide broadband networking compatibility

• Provide faster ROI (return on investment) than traditional WAN

A well-designed VPN should have the following features:

It should incorporate:

• Security

• Reliability

• Scalability

• Network management

• Policy management



3.3 Types of VPN: 1) Remote-Access VPN

2) Site-to-Site VPN

3) Extranet VPNs

3.4 Remote-Access VPN Cisco Definition: http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html

[ Remote Access VPNs provide remote access to a corporate Intranet or

extranet over a shared infrastructure with the same policies as a private

network. Access VPNs enable users to access corporate resources whenever,

wherever, and however they require. Access VPNs encompass analog, dial,

ISDN, digital subscriber line (DSL), mobile IP, and cable technologies to

securely connect mobile users, telecommuters, or branch offices. ]

Remote-Access VPN

My Definition: Remote-access, also called a virtual private dial-up network (VPDN), is a

user-to-LAN connection used by a company that has employees who need to

connect to the private network from various remote locations. Normally, a

company that wishes to set up a large remote-access VPN will outsource to an

enterprise service provider (ESP). The ESP sets up a network access server

(NAS) and provides the remote users with desktop client software for their

computers. The telecommuters can then dial a Low Call or Free number

(0800, 0500 etc) to reach the NAS and use their VPN client software to access

the corporate network.


http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html

http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html


Image source:-

Understanding Virtual Private Networking, from ADTRAN

http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/

EU0GPR0PEFB139RF038BE81ID8.pdf

** Source: Above picture is copyrighted & taken from Cisco website:



http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdf




A good example of a company that needs a remote-access VPN would be a

company with a lot of sales people in the field. Remote-access VPNs permit

secure, encrypted connections between a company's private network and

remote users through a third-party service provider.

3.5 Site-to-Site VPN Cisco Definition: http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html

[ Site-to-Site VPNs are an alternative WAN infrastructure that used to connect

branch offices, home offices, or business partners' sites to all or portions of a

company's network. VPNs do not inherently change private WAN

requirements, such as support for multiple protocols, high reliability, and

extensive scalability, but instead meet these requirements more cost-

effectively and with greater flexibility. ]

A company can connect multiple fixed sites over a public network such as the

Internet through the use of dedicated equipment and large-scale encryption.

Site-to-site VPNs can be one of two types:

Intranet-based - If a company has one or more remote locations that they wish

to join in a single private network, they can create an intranet VPN to connect

LAN to LAN.

Extranet-based - When a company has a close relationship with another

company (for example, a partner, supplier or customer), they can build an

extranet VPN that connects LAN to LAN, and that allows all of the various

companies to work in a shared environment.


http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html


Image source:-

Understanding Virtual Private Networking, from ADTRAN

http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/

EU0GPR0PEFB139RF038BE81ID8.pdf








3.6 Extranet VPN Cisco Definition: http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html

[ Extranet VPNs link customers, suppliers, partners, or communities of interest

to a corporate Intranet over a shared infrastructure using dedicated

connections. Businesses enjoy the same policies as a private network,

including security, QoS, manageability, and reliability. ]

* See reference section for resource detail.







Image Source:

http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf

3.7 VPN Security: A well-designed VPN uses several methods for keeping your connection and

data secure:

1) Firewalls

2) Encryption

3) IPSec

4) AAA Server




3.8 Firewalls: Definition: Resource: Webopedia

http://www.webopedia.com/TERM/f/firewall.html

[ (fīr´wâl) (n.) A system designed to prevent unauthorized access to or from a

private network. Firewalls can be implemented in both hardware and software,

or a combination of both. Firewalls are frequently used to prevent

unauthorized Internet users from accessing private networks connected to the

Internet, especially intranets. All messages entering or leaving the intranet

pass through the firewall, which examines each message and blocks those that

do not meet the specified security criteria. ]

There are several types of firewall techniques:

Packet filter: Looks at each packet entering or leaving the network and

accepts or rejects it based on user-defined rules. Packet filtering is fairly

effective and transparent to users, but it is difficult to configure. In addition, it

is susceptible to IP spoofing.

Application gateway: Applies security mechanisms to specific applications,

such as FTP and Telnet servers. This is very effective, but can impose

performance degradation.

Circuit-level gateway: Applies security mechanisms when a TCP or UDP

connection is established. Once the connection has been made, packets can

flow between the hosts without further checking.

Proxy server: Intercepts all messages entering and leaving the network. The

proxy server effectively hides the true network addresses.

In practice, many firewalls use two or more of these techniques in concert.




A firewall is considered a first line of defense in protecting private

information. For greater security, data can be encrypted.

3.9 Encryption Definition: Resource: Webopedia

http://www.webopedia.com/TERM/e/encryption.html

[ The translation of data into a secret code. Encryption is the most effective

way to achieve data security. To read an encrypted file, you must have access

to a secret key or password that enables you to decrypt it. Unencrypted data is

called plain text; encrypted data is referred to as cipher text. ]

My Definition: Encryption is the process of taking all the data that one computer is sending to

another and encoding it into a form that only the other computer will be able to

decode. Most computer encryption systems belong in one of two categories:

• Symmetric-key encryption

• Public-key encryption

In symmetric-key encryption, each computer has a secret key (code) that it

can use to encrypt a packet of information before it is sent over the network to

another computer. One should know that which computers will be talking to

each other so the key can be installed on each computer. Symmetric-key

encryption is essentially the same as a secret code that each of the two

computers must know in order to decode the information. The code provides

the key to decoding the message.




This can be further understood by a simple example: you create a coded

message to send to a friend in which each letter is substituted with the letter

that is two down from it in the alphabet. So "A" becomes "C," and "B"

becomes "D". You have already told a trusted friend that the code is "Shift by

2". Your friend gets the message and decodes it. Anyone else who sees the

message will see only nonsense.

Public-key encryption uses a combination of a private key and a public key.

The private key is known only to our computer, while the public key is given

by our computer to any computer that wants to communicate securely with it.

To decode an encrypted message, a computer must use the public key,

provided by the originating computer, and its own private key. A very popular

public-key encryption utility is called Pretty Good Privacy (PGP), which

allows encrypting almost anything.

3.10 IPSec Definition: Resource: Webopedia

http://www.webopedia.com/TERM/I/IPsec.html

[ Short for IP Security, a set of protocols developed by the IETF to support

secure exchange of packets at the IP layer. IPSec has been deployed widely to

implement Virtual Private Networks (VPNs). ]

My Definition: Internet Protocol Security Protocol (IPSec) provides enhanced security

features such as better encryption algorithms and more comprehensive

authentication.




Image Source:


IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the

header and the payload of each packet while transport only encrypts the

payload. Only systems that are IPSec compliant can take advantage of this

protocol. Also, all devices must use a common key and the firewalls of each

network must have very similar security policies set up. IPSec can encrypt

data between various devices, such as:

• Router to router

• Firewall to router

• PC to router

• PC to server




3.11 AAA Servers Definition: Resource: Webopedia

http://www.webopedia.com/TERM/A/AAA.html

[ Short for authentication, authorization and accounting, a system in IP-based

networking to control what computer resources users have access to and to

keep track of the activity of users over a network. ]

My Definition: AAA (authentication, authorization and accounting) servers are used for more

secure access in a remote-access VPN environment. When a request to

establish a session comes in from a dial-up client, the request is proxied to the

AAA server. AAA then checks the following:

• Who you are (authentication)

• What you are allowed to do (authorization)

• What you actually do (accounting)

The accounting information is especially useful for tracking client use for

security auditing, billing or reporting purposes.




3.12 VPN Technologies Depending on the type of VPN (remote-access or site-to-site), certain

components will need to be put in place to build the VPN. These might

include:

• Desktop software client for each remote user

• Dedicated hardware such as a VPN concentrator or secure PIX firewall

• Dedicated VPN server for dial-up services

• NAS (network access server) used by service provider for remote-user

VPN access

• VPN network and policy-management center

Because there is no widely accepted standard for implementing a VPN, many

companies have developed turn-key solutions on their own.

I will discuss some of the solutions offered by Cisco, one of the most prevalent

networking technology companies:-

3.13 VPN Concentrator Incorporating the most advanced encryption and authentication techniques

available, Cisco VPN concentrators are built specifically for creating a remote-

access VPN. They provide high availability, high performance and scalability

and include components, called scalable encryption processing (SEP)

modules, which enable users to easily increase capacity and throughput. The

concentrators are offered in models suitable for everything from small

businesses with up to 100 remote-access users to large organizations with up

to 10,000 simultaneous remote users.



3.14 VPN-Optimized Router Cisco's VPN-optimized routers provide scalability, routing, security and QoS

(quality of service). Based on the Cisco IOS (Internet Operating System)

software, there is a router suitable for every situation, from small-office/home-

office (SOHO) access through central-site VPN aggregation, to large-scale

enterprise needs.

3.15 Cisco Secure PIX Firewall Cisco PIX Firewall is a really technology, the PIX (private Internet exchange)

firewall combines dynamic network address translation, proxy server, packet

filtration, firewall and VPN capabilities in a single piece of hardware.

Instead of using Cisco IOS, this device has a highly streamlined OS that trades

the ability to handle a variety of protocols for extreme robustness and

performance by focusing on IP.

3.16 Tunnelling Definition: Resource: Webopedia

http://www.webopedia.com/TERM/t/tunneling.html

[ (tun´&l-ing) (n.) A technology that enables one network to send its data via

another network's connections. Tunneling works by encapsulating a network

protocol within packets carried by the second network. For example,

Microsoft's PPTP technology enables organizations to use the Internet to

transmit data across a VPN. It does this by embedding its own network

protocol within the TCP/IP packets carried by the Internet. ]




My Definition: Most VPNs rely on tunneling to create a private network that reaches across

the Internet. Essentially, tunneling is the process of placing an entire packet

within another packet and sending it over a network. The protocol of the outer

packet is understood by the network and both points, called tunnel interfaces,

where the packet enters and exits the network.

To explain and simplify the process of Tunneling I will give an example: It’s

like having a Mobile phone delivered by Royal Mail. The Mobile Phone

Company packs the Mobile Phone (passenger protocol) into a box

(encapsulating protocol) which is then put on a Royal Mail delivery truck

(carrier protocol) at the Mobile Phone Company’s warehouse (entry tunnel

interface). The truck (carrier protocol) travels over the Motorways (Internet) to

customer’s home (exit tunnel interface) and delivers the Mobile Phone. The

customer opens the box (encapsulating protocol) and removes the Mobile

Phone (passenger protocol). That’s called Tunneling. Simple!

Tunneling requires three different protocols:

3.17 Carrier protocol - The protocol used by the network that the

information is traveling over

3.18 Encapsulating protocol - The protocol (GRE, IPSec, L2F,

PPTP, L2TP) that is wrapped around the original data

3.19 Passenger protocol - The original data (IPX, NetBeui, IP)

being carried

Tunneling has several nice uses for VPNs. For example, a packet that uses a

protocol not supported on the Internet (such as NetBeui) can be placed inside

an IP packet and sent safely over the Internet. Or a packet that uses a private

(non-routable) IP address can be put inside a packet that uses a globally unique

IP address to extend a private network over the Internet.



3.20 Tunnelling: Site-to-Site In a site-to-site VPN, GRE (generic routing encapsulation) is normally the

encapsulating protocol that provides the framework for how to package the

passenger protocol for transport over the carrier protocol, which is typically

IP-based. This includes information on what type of packet is being

encapsulated and information about the connection between the client and

server. Instead of GRE, IPSec in tunnel mode is sometimes used as the

encapsulating protocol. IPSec works well on both remote-access and site-to-

site VPNs. IPSec must be supported at both tunnel interfaces to use.

3.21 Tunnelling: Remote-Access In a remote-access VPN, tunneling normally takes place using PPP. Part of the

TCP/IP stack, PPP is the carrier for other IP protocols when communicating

over the network between the host computer and a remote system. Remote-

access VPN tunneling relies on PPP.

Each of the protocols listed below were built using the basic structure of

PPP and are used by remote-access VPNs.

3.22 L2F (Layer 2 Forwarding)

Definition: Resource: Webopedia

http://www.webopedia.com/TERM/L/Layer_Two_Forwarding.html

[ Often abbreviated as L2F, a tunneling protocol developed by Cisco Systems.

L2F is similar to the PPTP protocol developed by Microsoft, enabling

organizations to set up virtual private networks (VPNs) that use the Internet

backbone to move packets. ] Developed by Cisco, L2F will use any

authentication scheme supported by PPP.




3.23 PPTP (Point-to-Point Tunnelling Protocol)


http://www.webopedia.com/TERM/P/PPTP.html

[ Short for Point-to-Point Tunneling Protocol, a new technology for creating

Virtual Private Networks (VPNs) , developed jointly by Microsoft

Corporation, U.S. Robotics, and several remote access vendor companies,

known collectively as the PPTP Forum. A VPN is a private network of

computers that uses the public Internet to connect some nodes. Because the

Internet is essentially an open network, the Point-to-Point Tunneling Protocol

(PPTP) is used to ensure that messages transmitted from one VPN node to

another are secure. With PPTP, users can dial in to their corporate network via

the Internet. ]

PPTP was created by the PPTP Forum, a consortium which includes US

Robotics, Microsoft, 3COM, Ascend and ECI Telematics. PPTP supports 40-

bit and 128-bit encryption and will use any authentication scheme supported

by PPP.

3.24 L2TP (Layer 2 Tunneling Protocol)


http://www.webopedia.com/TERM/L/L2TP.html

[ Short for Layer Two (2) Tunneling Protocol, an extension to the PPP

protocol that enables ISPs to operate Virtual Private Networks (VPNs).





L2TP merges the best features of two other tunneling protocols: PPTP from

Microsoft and L2F from Cisco Systems. Like PPTP, L2TP requires that the

ISP's routers support the protocol. ]

L2TP is the product of a partnership between the members of the PPTP

Forum, Cisco and the IETF (Internet Engineering Task Force). Combining

features of both PPTP and L2F, L2TP also fully supports IPSec.

L2TP can be used as a tunneling protocol for site-to-site VPNs as well as

remote-access VPNs. In fact, L2TP can create a tunnel between:

• Client and router • NAS and router • Router and router

3.25 MPLS: ** Note: MPLS Information & Description Is Taken From The Article

Resource:

“The MPLS FAQ” - MPLS-RC - The MPLS Resource Center

http://www.mplsrc.com/mplsfaq.shtml

Copyright 2000-2004, MPLSRC.COM

**

MPLS History

a. What is MPLS? MPLS stands for "Multiprotocol Label Switching". In an MPLS network,

incoming packets are assigned a "label" by a "label edge router (LER)".

Packets are forwarded along a "label switch path (LSP)" where each "label

switch router (LSR)" makes forwarding decisions based solely on the contents

of the label. At each hop, the LSR strips off the existing label and applies a

new label which tells the next hop how to forward the packet.




Label Switch Paths (LSPs) are established by network operators for a variety

of purposes, such as to guarantee a certain level of performance, to route

around network congestion, or to create IP tunnels for network-based virtual

private networks. In many ways, LSPs are no different than circuit-switched

paths in ATM or Frame Relay networks, except that they are not dependent on

a particular Layer 2 technology.

An LSP can be established that crosses multiple Layer 2 transports such as

ATM, Frame Relay or Ethernet. Thus, one of the true promises of MPLS is

the ability to create end-to-end circuits, with specific performance

characteristics, across any type of transport medium, eliminating the need for

overlay networks or Layer 2 only control mechanisms.

To truly understand ["What is MPLS", RFC 3031 - Multiprotocol Label

Switching Architecture], is required reading.

b. How did MPLS evolve? MPLS evolved from numerous prior technologies including Cisco's "Tag

Switching", IBM's "ARIS", and Toshiba's "Cell-Switched Router". More

information on each of these technologies can be found at

http://www.watersprings.org/links/mlr/. The IETF's MPLS Working Group

was formed in 1997.

c. What problems does MPLS solve? The initial goal of label based switching was to bring the speed of Layer 2

switching to Layer 3. Label based switching methods allow routers to make

forwarding decisions based on the contents of a simple label, rather than by

performing a complex route lookup based on destination IP address. This

initial justification for technologies such as MPLS is no longer perceived as

the main benefit, since Layer 3 switches (ASIC-based routers) are able to

perform route lookups at sufficient speeds to support most interface types.



However, MPLS brings many other benefits to IP-based networks, they

include:

Traffic Engineering - the ability to set the path traffic will take through the

network, and the ability to set performance characteristics for a class of traffic

VPNs - using MPLS, service providers can create IP tunnels throughout

their network, without the need for encryption or end-user applications

Layer 2 Transport - New standards being defined by the IETF's PWE3 and

PPVPN working groups allow service providers to carry Layer 2 services

including Ethernet, Frame Relay and ATM over an IP/MPLS core

Elimination of Multiple Layers - Typically most carrier networks employ an

overlay model where SONET/SDH is deployed at Layer 1, ATM is used at

Layer 2 and IP is used at Layer 3. Using MPLS, carriers can migrate many of

the functions of the SONET/SDH and ATM control plane to Layer 3, thereby

simplifying network management and network complexity. Eventually,

carrier networks may be able to migrate away from SONET/SDH and ATM

all-together, which means elimination of ATM's inherent "cell-tax" in carrying

IP traffic.

d. What is the status of the MPLS standard? Most MPLS standards are currently in the "Internet Draft" phase, though

several have now moved into the RFC-STD phase. See "MPLS Standards" for

a complete listing of current ID's and RFC's. For more information on the

current status of various Internet Drafts, see the IETF's MPLS Working Group

home page at http://www.ietf.org/html.charters/mpls-charter.html



There's no such thing as a single MPLS "standard". One day there will be a

set of RFCs that together will allow you to build an MPLS system. For

example today, a typical IP router spec. sheet will list about 20 RFCs to which

this router will comply. If you go to the IETF web site (http://www.ietf.org),

then click on "I-D Keyword Search", enter "MPLS" as your search term, and

crank up the number of items to be returned, (or visit

http://www.mplsrc.com/standards.shtml) you'll find over 100 drafts currently

stored. These drafts have a lifetime of 6 months. Some of these drafts have

been adopted by the IETF WG for MPLS.

Further reading:

Additional information on MPLS:

For articles, papers, and additional resources, see the MPLS Resource Center

at http://www.mplsrc.com

**


http://www.mplsrc.com/

Virtual Private Networking – Project Plan

Chapter 4 - Project Plan

My project plan consisted of three major steps:

4.1 Step1) My first step would be to collect information and data about the company’s

existing hardware and software. To visit and inspect the premises, furthermore I

would need to make an inventory to determine what would be suitable next step for

their organization.

When I visited the premises I did a small survey and noted that they were using ten

computers in a Local Area Network Domain based environment connected together

through a Router. These computers are comprised of Shuttle workstations see

[Shuttle], running Microsoft Windows 2000 Professional operating systems, a Fujitsu

Siemens Server see [Fujitsu] running Microsoft Windows Server 2003 operating

system. The hardware configurations are as following:

Figure1. Shuttle workstation

Shuttle Small form factor CPU’s.

AMD Athlon XP processor.

Kingston 512 MB DDR RAM

Seagate 160 GB Hard Disk Drives

NVidia 64 MB Graphics Card

Lite-On CD-Writer

Sony Floppy Drive

1 Gigabit Ethernet Adaptor



Logitech Keyboard

Logitech Mouse

The server is a Fujitsu Siemens server and has the following hardware specifications:

Figure2. Fujitsu Siemens Server

Intel Pentium 4 3.0 Ghz processor

Kingston 3 GB DDR RAM

320 GB SATA Hard disk drives

NVidia 128 MB Graphics Card

Lite-On DVD Rewriter

1 Gigabit Ethernet Adaptors (two in quantity)

Sony Floppy Drive

Logitech Keyboard

Logitech Mouse

4.2 Step 2) After taking the inventory the next step would be to prepare Windows

Server 2003 for configuration changes. Following that, the next step was to install

ISA Server 2000 and to configure it for VPN.

These steps in great detail are demonstrated and documented in the Appendices A, B,

C, D, E and F.

4.3 Step3) To educate the staff about connecting to the VPN. Please [see Appendix

G.]



RESOURCES AND ASSIGNMENTS

START DATE

FINISH DATE

Abstract

17/02/2005

22/02/2005

Introduction

24/02/2005

24/02/2005

The project proposal

25/02/2005

03/03/2005

Investigation and result

04/03/2005

28/04/2005

Conclusion & Completion of Final Report

29/04/2005

18/05/2005

Web Site

19/05/2005

20/05/2005

Article

20/05/2005

20/05/2005


Virtual Private Networking – Investigation and result

Chapter 5 - Investigation and result

When I analyzed the problem I saw two problems instead of one! First being

convergence of various services and platforms and second being remote availability.

However these are two separate problems but they can actually be addressed by just

one solution. Virtual Private Networking!

Virtual Private Networking offers scalability, remote availability and eventually offers

convergence as well. How does VPN offer convergence? You might ask? Well let’s

take Sun Infosys Ltd’s Scenario. They have CCTV systems which are currently

offline systems, PC hardware assembling and sales. By leveraging VPN the offline

CCTV systems can be linked to the internet and intranet eventually and effectively

making the CCTV systems ONLINE system, the PC assembling department has to go

through various procedures such as hardware procurement, supplier chain

management, stock, sales, dispatch, returns, technical support and marketing. All

these aspects can be brought together via a single either online system or networked

system in both cases VPN again is the answer bridging the gap.

In my view the possible methods to achieve the objective would be:

5.1 Virtual Private Networking using hardware based tools and technologies.

5.2 Virtual Private Networking using software based tools and technologies.

5.3 Protocol Selection

5.4 Performance needs

5.5 IP Address Planning

5.6 ISP Evaluation

5.7 Installing and configuring ISA Server 2000 and on Windows Server 2003

for Remote VPN



5.1 Hardware Based Solutions:

For hardware based solutions, various tools and devices are available by a number of

vendors; these include Cisco as the foremost mentioned, Sonicwall, Shiva etc. The list

is endless. These are VPN enabled / pass through routers, VPN Concentrators, VPN

Optimized Routers and VPN Firewalls etc.

5.2 Software Based Solutions:

For software based solutions there are numerous products in the market each catering

to all the needs of any kind of scenario. The good side about software based solutions

is that they are very much customizable and upgradeable, scaleable. The bad point is

that they are prone to fallouts, attacks, viruses, and performance issues.

Software based solutions are best offered by the software giant Microsoft, Then

Symantec, Check point software, Cisco and many others.

5.3 Protocol Selection

When talking about protocol selection for a VPN implementation I have to take into

account Sun InfoSys Ltd’s existing infrastructure, scale of the company, the costs and

budget.

Keeping in view of the above factors Sun InfoSys is a small to medium sized

organization and in my view the best protocol to go for would be IPSec, with IPSec to

IPSec implementation, given its various qualities which is discussed and researched

further in the proposal.

When talking about software based solutions a point to note is that they are all

platform dependent. Hence they can incur overhead costs and expensive expertise to

pay for installation and or management. I chose ISA Server 2000 for this

implementation. I decided to show the work done and with the help of figures to

better understand each step that I took. The next steps were:

Performance needs of the remote applications

IP Address Planning



ISP Evaluation

Installing and configuring ISA Server 2000 and on Windows Server

2003 for Remote VPN

5.4 Performance needs:

The applications that are being used in Sun InfoSys Ltd. are SAGE, MSOffice,

Internet Explorer, Microsoft Outlook, Microsoft Remote Desktop, and IP camera’s

and DVR’s propriety softwares. The most resource hungry applications are SAGE and

the IP Cameras and DVR’s remote viewing softwares.

My analysis after actual testing is that these applications are not incredibly resource

hungry yet are not on the basic level as well, in other words they are nor enterprise

class application on the other hand they are not basic or home applications, they are

medium level moderate application which requite a fairly consistent performance if

not super fast performance.

Because of the nature of the Camera and DVR software, they need to have the highest

frames per second and need no frames to be dropped, the reason being if any frame is

dropped and a burglary is occurring in that given time and frame then the evidence

could become lost. Therefore I decided that I should choose a solution that should

provide me consistency and little amount of errors while also delivering adequate

speed levels and performance.

5.5 IP Address Planning:

Sun InfoSys Ltd. does not need a huge amount of IP addresses to be purchased from

an ISP because the whole network only need to be available for certain individuals

and they can log on the internet.



In my investigation I found out that they need 5 static IP addresses which should be

purchased by their ISP. One for the remote connection capability, one for backup

purposes, another for network allotment and rest two for future requirements like

windows media server as they are planning to do web casting for some of their

customers.

5.6 ISP Evaluation:

Sun InfoSys Ltd. already is on a business plan with an Internet Service Provider called

Eclipse Internet. The service provider is excellent and already providing all the

necessary broadband needs and bandwidth, the requested 5 static IP address were

readily provided by them. I did not find any need to move on to another ISP and this

ISP is excellent.

5.7 Installing and configuring ISA Server 2000 and on Windows Server 2003 for

Remote VPN:

I installed and configured (partitioning the hard drive, formatting the hard drive

etc) a Windows Server 2003 for the purpose of VPN. See Appendix A. for the

detailed procedures.

After this step I followed the excellent articles and help available in abundance by

Microsoft and on the internet on how to install and configure VPN on Microsoft

Windows Server 2003.

I installed ISA Server 2000 because it was cheap, offered everything that this project

required and fairly easy to deploy. See Appendix B, C, D, E and F.

The articles can be found at:

[ http://www.microsoft.com/ ]

[ http://www.microsoft.com/isaserver/default.mspx ]


http://www.microsoft.com/

http://www.microsoft.com/isaserver/default.mspx

Virtual Private Networking – Critical Appraisal

Chapter 6 - Critical appraisal of the work done

The work done in this project was analysis of the current situation for Sun InfoSys

Ltd. and coming up with solutions, the solution I followed for implementation was

real time implementation of Virtual Private Networking. I decided to follow the

software based route rather than the hardware based route because of company’s

budget and size considerations. I eventually did manage to implement the solution and

generally had a most pleasant time in doing so.

I encountered problems in actually communicating with the company as to make them

aware of the demands of this project. I found it quite a difficult task to communicate

with non technical management for such a technical task. I think I should improve my

project management skills which would have enabled me to communicate effectively

and on their level. Point noted!

Looking back at the work that I carried out, I could have tried to implement this

solution on Unix platform but I still think that the time frame that would have required

to complete would have exceeded the given time frame by the company and hence

would invalidate this research, however the really low cost involved in deploying

Unix based solutions are quite enticing for companies. In the end I am satisfied I

chose the right solution and the company is satisfied as well.

Website: http://www.rashidkhan.co.uk


http://www.rashidkhan.co.uk/

Virtual Private Networking - Conclusion

Chapter 7 - Conclusion

I developed a Website for this project and it can be found at:


When Microsoft released Windows 2000 in the year 2000 it caused a stir in the

industry by announcing that Windows 2000 would offer Virtual Private Networking.

There were several concerns and complaints in the industry such as that “Microsoft's

implementation adds data overhead and slows down transaction processing.” And

“Will established VPN products from other vendors work with Microsoft's

technology?”

"If you're using IP, we don't see the reason to use L2TP," comments Iris Tal [see

CNN], RadGuard's technical support manager. "It only causes overhead for network

traffic because it's 'double-tunneling.' But because of Microsoft's L2TP client

software, I'm sure we'll do the support for it in our product."

Many VPN vendors have opposed Microsoft's VPN implementation, complaining that

it adds data overhead and slows down transaction processing. On the other hand some

companies, such as Check Point Software and Newbridge Networks, acknowledge

that they can't afford to ignore that hundreds of thousands of desktops will probably

end up running Microsoft's new software. This fact by far is most significant and very

crucial and has to be taken into account as most companies have a Microsoft

environment already in place and this is the scenario in Sun InfoSys Ltd as well.

Another point that I noted is that Microsoft has since releasing Windows 2000 have

progressed, updated and made advanced changes on their Windows Server 2003

operating system.




I did several meetings With Mr. Andy the managing director, the sales team, support

team, technicians and visited both head office and branch offices. I took inventory of

existing hardware, [see Project Plan] computer systems, budget and the time frame

required. Their budget was simply low and literally spelt out that I must use the

existing systems.

I had proposed two options in my Project Proposal but the UNIX based proposal was

declined due to their low budget and inability to adopt an abrupt system wide change

of operating systems, especially since everything was already functioning and in

place. A key note to be taken into account here is that they already had Windows

Server 2003 as part of their Server. That meant that they did not need to purchase it.

Consequently these facts made the Windows based solution the winning choice.

I found out that installing Microsoft's ISA server 2000 and using it to its full potential

is quite a complicated and difficult task to perform even though it might look simple.

The minute intricacies and planning procedures involve a great deal of time and effort

and if miscalculated or carried out improperly can result in complete failure and

double the time frame required implementing.

The related personnel were briefed and shown how to use the new system to its full

potential. It took a bit of time and effort on my behalf, I gave them instructions on

how to connect to their VPN [see Appendix G] and doing their related tasks of

managing warehouse, despatch, sales and technical support all remotely. It was not an

easy task as this was quite a new and complex task to grasp for them. But it was not

be a major issue and eventually it was overcome by trying and trying again.

This placement has had many positive effects on me. I have learnt a lot, for example

how to communicate, how to analyze problems, analyzing company expectations,

how to come up with various solutions that might be possible and feasible. I found out

that planning things, taking personal notes, being highly observant and determined at

all times really does help.



After this work placement I am able to identify with the real life professional work

environment. I am able to organize myself, able to face challenges and complete

personal and professional milestones.

I have come to conclude that this company actually did benefit enormously with a

Virtual Private Network because they have made gains in managing their recourses

which shows in their Sales figures and better customer feedback made possible by

even better and informed technical support because they are in touch all the time. This

project was also successful partly because they already had most of the infrastructure

in place most importantly the Windows Server 2003 operating system software. That

was definitely a deciding factor for the management to take up my Windows based

solution as they did not had to incur extra cost in procuring any other operating

system software or expertise to maintain it.

I am very pleased with the outcome of this project and so is the company. The project

was well managed and finished on time with a small budget. A nice possible outcome

for me could be that they might even offer a permanent position in their company.


Virtual Private Networking – Suggestions for further work

Chapter 8 - Suggestions for further work

The project can be implemented using the Unix operating system on a much more

cheaper scale and surprisingly more secure manner but the down side is the time

frame required to install, configure and deploy such an option is often too long for

organization.

Another fact is that organizations generally do not have Unix administrators and find

that costly to obtain. If Sun InfoSys Ltd.’s company size and operations increases two

folds then I would suggest to implement a Unix solution and hire a Unix

Administrator to maintain the network.

The benefits & advantages of a UNIX based solution are that it is a cheaper option to

procure and implement than the more proprietary Windows based solutions by

Microsoft , it is more effective on a larger scale and offers more stability and security.

The biggest advantage that lies in the UNIX platform is its security since the

Microsoft platform is plagued by security loopholes, viruses, hackings, bugs, patches

etc hence not offering the stability a larger organization would require to keep its

operations up and running all the time.

Another advantage of the UNIX environment is that it does not require expensive new

hardware or updated to run and can run on an old cheaper computer. Its offers more

speed.

UNIX operating system was originally adopted by big financial institutions like banks

etc which required ultimate security and stability as they have huge amounts of money

and consumer confidentiality etc at stake. UNIX was written with these requirements

in mind so it utilizes less memory and hardware, furthermore it is a centralized

operating system with one source being accessed by thousand of users

simultaneously.


Virtual Private Networking – Suggestions for further work

With all the above in mind my suggestions for further work would be to research a

solution offering Virtual Private Networking under a UNIX platform rather than the

Microsoft Platform. Just like Microsoft, UNIX is an operating system but is more

stable and secure, in order to implement Virtual Private Networking there are

applications that can be installed and configured namely the Apache Tomcat server

which is very similar to the Microsoft Internet Information Server (IIS). The Apache

server can then be configured to offer Virtual Private Networking via third party

software.

One key point to note is to consider the organization’s size and its budget to

implement a solution. At the given time this organization had a very low budget but

also a small organization size. In my opinion a UNIX based solution would have not

been feasible because there are underlying factors namely expensive staff to manage

and monitor UNIX. Because UNIX is generally used in big financial organizations

they have a complex structure and quite difficult to manage and require expert UNIX

staff to maintain their facilities. These staff work in high paid postitions and would

not consider working in a smaller organization such as Sun InfoSys Ltd. with lower

wages.

Therefore I would only recommend such a UNIX based solution, when this company

expands and increases in size exponentially. As only then it will have the adequate

resources to justify the expensive labour.


Virtual Private Networking - References

Chapter 9 - References

Sun InfoSys Ltd. http://www.suninfosys.co.uk/email:- [email protected]

The company has a head office in the following location:

Head Office: No 8, Exmouth Rd. London, e17 7qq.

And also has a branch office in the following location:

Branch Office: No 772-776, Romford Rd., London e12.

Telephone: 0044 0870 609 2363 [Microsoft1] Deploying Virtual Private Networks with Microsoft Windows Server 2003 by Joseph Davies and Elliot Lewis Microsoft Press © 2004 (496 pages) ISBN:0735615764 [Microsoft2] Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security Resource: http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/nwpriv.asp [CNN] “Windows 2000 VPN technology causes stir” Resource: http://archives.cnn.com/2000/TECH/computing/01/12/vpn.stir.idg/index.html [Shuttle] Shuttle XPC Workstations Resource: Shuttle http://eu.shuttle.com/en/desktopdefault.aspx/tabid-72/169_read-2791/ [Fujitsu-Siemens] Fujitsu-Siemens Server Recourse: Fujitsu-Siemens http://www.fujitsu-siemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.html



mailto:[email protected]

http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/nwpriv.asp

http://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/nwpriv.asp

http://archives.cnn.com/2000/TECH/computing/01/12/vpn.stir.idg/index.html

http://eu.shuttle.com/en/desktopdefault.aspx/tabid-72/169_read-2791/

http://www.fujitsu-siemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.html

http://www.fujitsu-siemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.html

Virtual Private Networking - References [Cisco1] Virtual Private Network Design:- Resource: Cisco http://www.cisco.com/warp/public/779/largeent/design/vpn.html [Cisco2] Remote Access VPN’s: Resource: Cisco http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html [Cisco3] Site-to-Site VPN’s:- Resource: Cisco http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html [Cisco4] Extranet VPN’s:- Resource: Cisco http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html [Cisco5] Resource2: Cisco IPSec White Paper http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf [Webopedia1] Firewalls:- Resource: Webopedia http://www.webopedia.com/TERM/f/firewall.html [Webopedia2] Encryption:- Resource: Webopedia http://www.webopedia.com/TERM/e/encryption.html [Webopedia3] IPSec:- Resource1: Webopedia http://www.webopedia.com/TERM/I/IPsec.html [Webopedia4] AAA Servers:- Resource: Webopedia http://www.webopedia.com/TERM/A/AAA.html


http://www.cisco.com/warp/public/779/largeent/design/vpn.html









Virtual Private Networking - References [Webopedia5] Tunnelling Resource: Webopedia http://www.webopedia.com/TERM/t/tunneling.html [Webopedia6] L2F (Layer 2 Forwarding) Resource: Webopedia http://www.webopedia.com/TERM/L/Layer_Two_Forwarding.html [Webopedia7] PPTP (Point-to-Point Tunneling Protocol) Resource: Webopedia http://www.webopedia.com/TERM/P/PPTP.html [Webopedia8] L2TP (Layer 2 Tunneling Protocol) Resource: Webopedia http://www.webopedia.com/TERM/L/L2TP.html [MPLS1] Resource: “The MPLS FAQ” - MPLS-RC - The MPLS Resource Center Copyright 2000-2004, MPLSRC.COM http://www.mplsrc.com/mplsfaq.shtml [MPLS2] The MPLS Resource Center Resource: http://www.mplsrc.com/ [VPNC] Resource: Virtual Private Network Consortium http://www.vpnc.org [VPN Whitepapers] Virtual Private Network White papers:- Resource: http://www.vpnc.org/white-papers.html [Adtran] Understanding Virtual Private Networking, from ADTRAN Resource: http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdf







http://www.mplsrc.com/

http://www.vpnc.org/

http://www.vpnc.org/white-papers.html



Virtual Private Networking - References [FreeS/WAN] http://www.freeswan.org/ [Linux] Resourse: http://www.samag.com/documents/s=4072/sam0203c/sam0203c.htm


http://www.freeswan.org/

http://www.samag.com/documents/s=4072/sam0203c/sam0203c.htm

APPENDICES

APPENDIX A APPENDIX B APPENDIX C APPENDIX D APPENDIX E APPENDIX F


APPENDIX A

Implementation – Installing Windows Server 2003


Virtual Private Networking – Appendix A– Installing Windows Server 2003 WEBSITE: http://www.rashidkhan.co.uk/AND ALSO AVAILABLE ON CD INSTALLING WINDOWS SERVER 2003 To install Windows Server 2003 following actions were taken:

Booted directly from the Windows Server 2003 CD.

Setup loaded all the needed files and drivers.

The setup process begins loading a blue-looking text screen. I was asked to accept the

EULA and choose a partition on which to install 2003, then I was asked to format it

by using either FAT, FAT32 or NTFS. I chose NTFS.

Selected to Setup Windows Server 2003 by pressing ENTER.

Read and accepted the licensing agreement by pressing F8 to accept it.

The hard disk was unpartitioned, created and sized the partition on which to install


Selected the NTFS file system for the installation partition.

Setup then began copying necessary files from the installation CD.



Virtual Private Networking – Appendix A– Installing Windows Server 2003

The computer then restarted in graphical mode, and the installation continued in a

GUI mode phase. It then began to load device drivers based upon what hardware was

found on the computer.

I didn't need to make any changes to the system local etc and just pressed Next.

Setup then copied the necessary files from the installation CD.

I was then prompted to enter a name, organization name, the product key, the

appropriate license type and number of purchased licenses.

I was prompted to type the computer name and a password for the local Administrator

account. Selected the date, time, and time zone settings. Setup then installed the

networking components. I then highlighted the TCP/IP selection and pressed

Properties. In the General tab entered the required information. I had to specify the IP

address of the computer and Subnet Mask. Next step was to finish copying files and

the setup. After the copying and configuring phase finished, setup finished and booted



Virtual Private Networking – Appendix A– Installing Windows Server 2003 After carefull study I found out that the following procedures must be performed to install ISA Server 2000 on a Windows Server 2003 computer and they must be in the following order:

• Install Windows Server 2003 • Install ISA Server 2000 • Install ISA Server Service Pack 1 • Install isahf255.exe • Install Feature Pack 1

ISA Server 2000 can be installed in one of thee mode:

• Cache Mode Caching mode ISA Server is designed to have one or two network interfaces. Each interface must be located on the internal network because packet filtering is not enforceable on a caching only ISA Server machine.

• Firewall Mode

Firewall mode provides a high level of firewall protection from external intruders and also protects your network by enabling granular outbound access control. Firewall mode does not include the Web caching features that are part of the Cache mode server.

• Integrated Mode

Integrated mode provides all the firewall and caching features available with ISA Server 2000

The “Windows Server 2003” server machine that I was using for VPN deployment had to have the following characteristics:

• At least two network interfaces – one internal and one external • DNS setting on the internal interface uses an internal DNS server that can

resolve Internet host names • All non-essentials services on the ISA Server 2000 machine are disabled

An Integrated mode ISA Server firewall requires at least one internal and one external interface.

• The internal interface is never configured with a default gateway address. The IP address on the internal interface is always on the LAT.

• The external interface is configured with a default gateway that routes packets to the Internet. The external interface is never on the LAT.


Virtual Private Networking – Appendix A– Installing Windows Server 2003 Windows Server 2003, like Windows 2000, allows a single default gateway. The result is ISA Server 2000 on Windows Server 2003 supports a single external interface or single Internet interface. I can have multiple public address DMZ interfaces, but only a single interface can connect the internal network to the Internet. The DNS settings on the ISA Server interfaces must be configured correctly. Misconfiguration of the DNS settings is the most common configuration error made on ISA Server firewalls in production. The preferred setup is to

• Configure the internal interface of the ISA Server with the address of a DNS server on the internal network that is capable of resolving Internet host names

• Place the internal interface on the top of the interface list. Windows Server

2003 uses the interface order to determine which name server addresses to query first.

• Do not enter a DNS server address on the external interface I had to perform the following steps to configure the interface order on the ISA Server computer:

1. Clicked Start, pointed to Control Panel and right clicked on Network Connections. Clicked the Open command (figure 1).

Figure 1

2. In the Network Connections window, clicked the Advanced menu and then clicked the Advanced Settings command (figure 2).


Virtual Private Networking – Appendix A– Installing Windows Server 2003 Figure 2

3. In the Advanced Settings dialog box, selected the interface representing the internal interface and clicked the up arrow to move the internal interface to the top of the interface list. Clicked OK in the Advanced Settings dialog box after making the changes to the interface order.


Virtual Private Networking – Appendix A– Installing Windows Server 2003 Figure 3

I disabled all non-essential services on the ISA Server firewall computer. While individual implementations of ISA Server firewalls require a customized set of services, it is safe to conclude the IIS W3SVC (the World Wide Web service) should not run on the ISA Server firewall.


APPENDIX B

Implementation – Installing ISA Server 2000


Virtual Private Networking – Appendix B– Installing ISA Server 2000 Installing ISA Server 2000 I located the ISA Server 2000 CD-ROM disk and put it into the CD-ROM drive. Performed the following steps to install ISA Server on a Windows Server 2003 machine:

1. Double click on the ISAAutorun.exe file on the ISA Server CD (figure 4), local hard disk, or network share point.

Figure 4

2. Click on the Install ISA Server link on the Internet Security & Acceleration Server 2000 splash page (Figure 5).

Figure 5


Virtual Private Networking – Appendix B– Installing ISA Server 2000

3. I saw an ISA 2000 dialog box informing that I need to install ISA 2000 Service Pack 1 (figure 6). Error messages occurred during the installation. I was not concerned about these errors as I will perform the required procedures to prevent them from becoming a problem. Clicked Continue.

Figure 6

4. Clicked Continue on the Welcome to the Microsoft ISA Server installation program page (figure 7).


Virtual Private Networking – Appendix B– Installing ISA Server 2000 Figure 7

5. Entered the CD Key in the CD Key dialog box (figure 8). Clicked OK. Figure 8

6. Wrote down the Product ID as list in the Product ID dialog box. Clicked OK in the Product ID dialog box after writing this number down.


Virtual Private Networking – Appendix B– Installing ISA Server 2000 7. Clicked I Agree in the Microsoft ISA Server Setup dialog box (figure 9).

Figure 9

8. Clicked the Full Installation button in the installation type dialog box (figure 10). This allows me to use all ISA Server features. I can use the Add/Remove Programs applet later if I need to remove some ISA Server features.



9. Here I am installing ISA Server in standalone mode, not in enterprise array mode. Clicked Yes in the dialog box that asked if I want to continue (figure 11).

Figure 11


Virtual Private Networking – Appendix B– Installing ISA Server 2000 10. Selected the Integrated mode option on the Select the mode for this server page

(figure 12). I wanted to take advantage of the full power of your ISA Server firewall. Integrated mode gives everything the Web Proxy and Firewall services have to offer. Clicked Continue.

Figure 12

11. On the Web cache page (figure 13), selected a drive to put the Web cache file on. The drive had to be NTFS, so I made sure of that. Typed in a size of the cache in the Cache size (MB) text box and then clicked the Set button. Then clicked OK.



12. On the LAT page (figure 14), clicked the Construct Table button. On the Local Address Table page, removed the checkmark in the Add the following private ranges checkbox. Put a checkmark in the Add address ranges based on the Windows 2000 Routing Table checkbox. Removed the checkmark from the checkbox representing the external interface, and left the checkmark in the checkbox for the internal interface. Clicked OK in the Local Address Table dialog box, then clicked OK in the Setup Message dialog box that informed me that the LAT was constructed based on the Windows 2000 routing table (in spite of the fact that I am installing ISA Server on a Windows Server 2003 machine).



13. Clicked OK on the LAT dialog box after reviewing the list listing in the Internal IP ranges list (figure 15). Figure 15

14. Unlike Windows 2000, Windows Server 2003 does not install IIS by default. I saw a dialog box telling me that I will have to install the SMTP service if I want to run the SMTP Message Screener. Clicked OK to continue (figure 16).



Figure 16

15. When installation is complete, I saw a warning balloon informing me that ISA 2000 will cause Windows to become unstable. Closed the balloon, removed the checkmark from the Start ISA Server Getting Started Wizard checkbox, and then clicked OK in the Launch ISA Management Tools dialog box (figure 17).

Figure 17

16. Clicked OK in the dialog box informing me that setup was completed (figure 18).



Figure 18

17. Clicked OK in the dialog box informing me that setup has failed to start one or more services (figure 19).

Figure 19

Now I was ready to install ISA Server Service Pack 1.


APPENDIX C

Implementation – Installing ISA Server Service Pack 1


Virtual Private Networking – Appendix C– Installing ISA Server Service Pack 1 Installing ISA Server Service Pack 1 The next step was to immediately install ISA Server Service Pack 1. I got Service Pack 1 from http://www.microsoft.com/isaserver/downloads/sp1.asp Downloaded SP1. Downloaded the Service Pack to a machine on the internal network, scanned it for viruses, and then copied it to the ISA Server. Performed the following steps after copying the service pack to the ISA Server:

1. Double clicked on the isasp1.exe file. Typed in a path to put the temporary files in the Choose Directory for Extracted Files dialog box (figure 20). Clicked OK.

Figure 20


http://www.microsoft.com/isaserver/downloads/sp1.asp

Virtual Private Networking – Appendix C– Installing ISA Server Service Pack 1

2. Clicked I Agree in the End User License Agreement (EULA) dialog box (figure 21).

Figure 21

3. Clicked OK in the Microsoft ISA Server 2000 Update Setup dialog box (figure 22). The computer restarted after that (That’s normal).

Figure 22

This finished installing ISA Server service pack 1.


APPENDIX D

Implementation – Installing Hotfix isahf255.exe


Virtual Private Networking – Appendix D– Installing Hotfix isahf255.exe Installing HotFix isahf255.exe Logged on the ISA Server, service pack 1 installation routine restarts the machine. There are a few hotfixes and updates that I needed to install on the Windows Server 2003/ISA Server machine to insure ISA Server compatibility with Windows Server 2003. I downloaded the HotFix pack, isahf255.exe at http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en Downloaded the file to a machine on the internal network, scanned it for viruses, and then copied it to the ISA Server. Performed the following steps after copying the file to the ISA Server:

1. Double clicked on the isahf255.exe file. Clicked I Agree in the ISA Server 2000 hot fix 255 (331062) dialog box. Typed in a path for the temporary files in the Choose Directory for Extracted Files dialog box, then clicked OK (figure 23).

Figure 23

2. Clicked I Agree in the EULA dialog box. 3. Clicked OK in the Microsoft ISA Server 2000 Update Setup dialog box that

informed me that the update was successful applied (figure 24).


http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en

http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en

Virtual Private Networking – Appendix D– Installing Hotfix isahf255.exe Figure 24

I did need to restart the server. The next step was to install Feature Pack 1.


APPENDIX E

Implementation – Installing Feature Pack 1


Virtual Private Networking – Appendix E– Installing Feature Pack 1 Installing Feature Pack 1 Feature Pack 1 (FP1) is not required. I don’t have to install ISA Server Feature Pack 1 on the Windows Server 2003/ISA Server machine. However, it is highly recommended that I install ISA Server Feature Pack 1 because it adds several new and useful features. I downloaded ISA Server Feature Pack 1 at http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en Downloaded the feature pack to a machine on the internal network and scanned it for viruses. Then copied the file to the ISA Server and performed the following steps:

1. Double clicked on the isaftp1.exe file. Typed in a path for the extracted files in the Choose Directory For Extracted Files dialog box (figure 25).

Figure 25

2. Clicked I Agree in the Feature Pack 1 EULA dialog box. 3. Clicked OK in the Microsoft ISA Server 2000 Feature Pack 1 dialog box. Left the

checkmark in the Read about ISA Server Feature Pack 1 checkbox to learn more about what I get with Feature Pack 1.

At this point the ISA Server was ready to use but needed to be configured.


http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en

APPENDIX F

Implementation – Configuring the ISA Server 2000/VPN Server


Virtual Private Networking – Appendix F– Configuring ISA Server 2000/VPN Server

CONFIGURING THE ISA SERVER 2000/VPN SERVER A Windows Server 2003/ISA Server 2000 computer uses the Routing and Remote Access Service (RRAS) to manage VPN connections. The ISA Server 2000 component creates packet filters to allow inbound and outbound VPN communications. Although the Routing and Remote Access Service controls and manages all VPN connections, ISA Server 2000 provides critical protection against attack. In addition, ISA Server provides easy to use Wizards that perform many of the complex RRAS and VPN configuration tasks. I created a Windows Server 2003-based ISA Server firewall/VPN server by completing the following procedures:

• The ISA Virtual Private Network Configuration Wizard • Customized the VPN Server configuration in the Routing and Remote Access to

meet my requirements • Assigned a machine certificate to the VPN server to support L2TP/IPSec connections

The ISA Virtual Private Networking Configuration Wizard The ISA Virtual Private Network Configuration Wizard starts the Routing and Remote Access service and configures the RRAS server to accept incoming PPTP and L2TP/IPSec VPN connections. The Wizard also creates ISA Server packet filters to allow incoming PPTP and L2TP/IPSec connections. If the Routing and Remote Access Service is already started, the Wizard will create the packet filters and configure the Routing and Remote Access Service to accept incoming PPTP and L2TP/IPSec VPN connections.


Virtual Private Networking – Appendix F– Configuring ISA Server 2000/VPN Server Performed the following steps to start the ISA Virtual Private Network Configuration Wizard on the ISA Server machine:



Customizing the VPN Server Configuration The ISA Server VPN Wizard has done most of the work. However, because not all network environments are the same, the changes the VPN Wizard makes might work for one organization but not for another. It’s important to review the VPN server related changes and confirm that they fit the networking environment.


Virtual Private Networking – Appendix F– Configuring ISA Server 2000/VPN Server Performed the following steps to review and customize your VPN configuration:


Virtual Private Networking – Appendix F– Configuring ISA Server 2000/VPN Server Assigning a Machine Certificate to the ISA Server firewall/VPN Server The ISA Server firewall/VPN server requires a machine certificate before it can create L2TP/IPSec connections with VPN clients. There are several ways that can assign a machine certificate to the ISA Server firewall/VPN server:

• Via The Certificate Server Web Enrollment Site • Via the Certificates standalone snap-in MMC • Via Group Policy-based Autoenrollment

The Certificate Server Web Enrollment Site The Web enrollment site requires that the Internet Information Server’s W3SVC be running on the Certificate Server. The certificate request is made via the browser interface and the certificate is obtained via the browser. The advantage of using the Web enrollment site is that the ISA Server firewall/VPN server doesn’t not need to belong to the Internet network domain. The disadvantage is that the Web browser is installed and being used on a firewall, which can be considered to be a security risk. Group Policy-based Autoenrollment Group Policy based autoenrollment allows to deploy machine certificates automatically by configuring domain policy to assign machine certificates to all machines in the domain. The disadvantage of using Group Policy based autoenrollment is that the ISA Server firewall/VPN server must belong to the internal network domain, or that I must create a domain for the ISA Server firewall/VPN servers to use that is separate from the user domain and then create a one-way trust between the ISA Server firewall/VPN server domain and the internal network domain that contains the users/groups I want to use for outbound and inbound access control. The Certificates Standalone Snap-in The Certificates snap-in allows to use the Microsoft Management Console (MMC) interface to request and install a certificate directly from an enterprise Certificate Authority. The advantage of using the certificates MMC is that it’s very simple to request and install a machine certificate using the built-in Wizard. The disadvantage is that the ISA Server firewall/VPN server must belong to the same domain as the enterprise CA. Performed the following steps on ISA Server firewall/VPN server to request a machine certificate:

1. Clicked Start and clicked the Run command. Typed mmc in the open text box and clicked OK.

2. In the Console 1 console, clicked the File menu and then clicked the Add/Remove Snap-in command.



The ISA Server firewall/VPN server was then ready to accept incoming PPTP and L2TP/IPSec calls from VPN clients.


APPENDIX G

Implementation – Connecting to the VPN


Virtual Private Networking – Appendix G– Connecting to the VPN

Connecting to the VPN:

Navigate to Network Connections.

Click on File and then New Connection.

On the first screen of the wizard, which contains just information about the wizard's

purpose, click Next.

The first screen of the wizard asks to determine exactly what kind of network

connection I would like to create. Since I was connecting to a VPN, I chose the

"Connect to the network at my workplace" option. It doesn't really matter where the

VPN resides. Clicked next.

Then I selected the Virtual Private Network connection option and click the Next

button.

The next step of the wizard asks to name the new connection. I can use just about

anything here since this just helps to keep track of what's what on the client machine.

A name is useful if more than one VPN connection is to be managed.

The next step of the wizard asked to decide which users should be able to use this new

connection. I then enabled the VPN connection for my use only.

Finally, the process of how to create the initial connection was finished. Clicked

Finish.


Virtual Private Networking – Appendix G– Connecting to the VPN


VIRTUAL PRIVATE NETWORKING.pdf

Documents

Transcript of VIRTUAL PRIVATE NETWORKING.pdf