VPN Introduction and Scenarios
-
Upload
pankaj-shukla -
Category
Documents
-
view
220 -
download
0
Transcript of VPN Introduction and Scenarios
-
8/2/2019 VPN Introduction and Scenarios
1/82
Virtual Private Network (VPN)
N. Ganesan, Ph.D.
-
8/2/2019 VPN Introduction and Scenarios
2/82
Chapter Objectives
-
8/2/2019 VPN Introduction and Scenarios
3/82
Chapter Modules
-
8/2/2019 VPN Introduction and Scenarios
4/82
Primary Reference
VPN Overview by Microsoft
-
8/2/2019 VPN Introduction and Scenarios
5/82
VPN
A virtual private network that isestablished over, in general, the Internet
It is virtual because it exists as a virtualentity within a public network
It is private because it is confined to aset of private users
-
8/2/2019 VPN Introduction and Scenarios
6/82
Why is it a Virtual Private Network?
From the users perspective, it appearsas a network consisting of dedicated
network links
These links appear as if they arereserved for the VPN clientele
Because of encryption, the networkappears to be private
-
8/2/2019 VPN Introduction and Scenarios
7/82
Example of a VPN
-
8/2/2019 VPN Introduction and Scenarios
8/82
VPN Major Characteristics
Must emulate a point-to-point link
Done by encapsulating the data that would
facilitate allow it to travel the Internet toreach the end point
Must emulate a private link
Done by encrypting the data in the datapackets
-
8/2/2019 VPN Introduction and Scenarios
9/82
Typical VPN Connection
-
8/2/2019 VPN Introduction and Scenarios
10/82
Tunnel and Connections
Tunnel
The portion of the network where the data
is encapsulated
Connection
The portion of the network where the data
is encrypted
-
8/2/2019 VPN Introduction and Scenarios
11/82
Application Areas
In general, provide users withconnection to the corporate network
regardless of their location
The alternative of using truly dedicatedlines for a private network are
expensive propositions
-
8/2/2019 VPN Introduction and Scenarios
12/82
Some Common Uses of VPN
Provide users with secured remote accessover the Internet to corporate resources
Connect two computer networks securelyover the Internet
Example: Connect a branch office network to thenetwork in the head office
Secure part of a corporate network forsecurity and confidentiality purpose
-
8/2/2019 VPN Introduction and Scenarios
13/82
Remote Access Over the Internet
-
8/2/2019 VPN Introduction and Scenarios
14/82
Connecting Two Computer Networks
Securely
-
8/2/2019 VPN Introduction and Scenarios
15/82
Securing a Part of the Corporate
Network
-
8/2/2019 VPN Introduction and Scenarios
16/82
Basic VPN Requirements
User Authentication
Address Management
Data Encryption
Key Management
Multi-protocol Support
-
8/2/2019 VPN Introduction and Scenarios
17/82
User Authentication
VPN must be able to verify userauthentication and allow only
authorized users to access the network
-
8/2/2019 VPN Introduction and Scenarios
18/82
Address Management
Assign addresses to clients and ensurethat private addresses are kept private
on the VPN
-
8/2/2019 VPN Introduction and Scenarios
19/82
Data Encryption
Encrypt and decrypt the data to ensurethat others on the not have access to the
data
-
8/2/2019 VPN Introduction and Scenarios
20/82
Key Management
Keys must be generated and refreshedfor encryption at the server and the
client Note that keys are required for
encryption
-
8/2/2019 VPN Introduction and Scenarios
21/82
Multi-protocol Support
The VPN technology must supportcommons protocols on the Internet such
as IP, IPX etc.
-
8/2/2019 VPN Introduction and Scenarios
22/82
VPN Implementation Protocols
Point-to-Point Tunneling Protocol(PPTP) of Layer 2 Tunneling Protocol
(L2TP) IPSec
-
8/2/2019 VPN Introduction and Scenarios
23/82
-
8/2/2019 VPN Introduction and Scenarios
24/82
Tunneling
-
8/2/2019 VPN Introduction and Scenarios
25/82
Point-to-Point Tunneling Protocol
(PPTP)
Encapsulate and encrypt the data to besent over a corporate or public IP
network
-
8/2/2019 VPN Introduction and Scenarios
26/82
Level 2 Tunneling Protocol
Encrypted and encapsulated to be sentover a communication links that
support user datagram mode oftransmission
Examples of links include X.25, Frame
Relay and ATM
-
8/2/2019 VPN Introduction and Scenarios
27/82
IPSec Tunnel Mode
Encapsulate and encrypt in an IPheader for transmission over an IP
network
-
8/2/2019 VPN Introduction and Scenarios
28/82
Layer 2 Tunneling Protocols
PPTP
L2TP
Both encapsulate the payload in a PPPframe
-
8/2/2019 VPN Introduction and Scenarios
29/82
Layer 3 Tunneling Protocol
IPSec Tunneling Mode
Encapsulates the payload in an additional
IP header
-
8/2/2019 VPN Introduction and Scenarios
30/82
PPP Format
-
8/2/2019 VPN Introduction and Scenarios
31/82
PPTP Format
-
8/2/2019 VPN Introduction and Scenarios
32/82
L2TP Format
-
8/2/2019 VPN Introduction and Scenarios
33/82
Windows Implementation of VPN
L2TP for tunneling
IPSec for encryption
Known as L2TP/IPSec
-
8/2/2019 VPN Introduction and Scenarios
34/82
Windows Implementation
-
8/2/2019 VPN Introduction and Scenarios
35/82
IPSec Tunnel Mode
Supports only IP networks
-
8/2/2019 VPN Introduction and Scenarios
36/82
Tunnel Types
Voluntary
VPN request is initiated by the client
The client remains the end point Compulsory
VPN access server creates a compulsory tunnel forthe client
In this case, the dial-up access server between theusers computer and the tunnel server is thetunnel end point that acts as a client
-
8/2/2019 VPN Introduction and Scenarios
37/82
The Choice
Voluntary tunneling is used in mostapplications
-
8/2/2019 VPN Introduction and Scenarios
38/82
Other Important Protocols in VPN
Microsoft Point-to-Point Encryption(MPPE)
Extensible Authentication Protocol(EAP)
Remote Authentication Dial-in User
Service (RADIUS)
-
8/2/2019 VPN Introduction and Scenarios
39/82
A Note on RADIUS
-
8/2/2019 VPN Introduction and Scenarios
40/82
Keys
Symmetric Keys
Asymmetric Keys
-
8/2/2019 VPN Introduction and Scenarios
41/82
Summary
-
8/2/2019 VPN Introduction and Scenarios
42/82
-
8/2/2019 VPN Introduction and Scenarios
43/82
End of Module
-
8/2/2019 VPN Introduction and Scenarios
44/82
VPN Scenarios
N. Ganesan, Ph.D.
-
8/2/2019 VPN Introduction and Scenarios
45/82
Chapter Objectives
-
8/2/2019 VPN Introduction and Scenarios
46/82
Chapter Modules
-
8/2/2019 VPN Introduction and Scenarios
47/82
Reference
-
8/2/2019 VPN Introduction and Scenarios
48/82
Some Example Scenarios
VPN remote access for employees.
On-demand branch office access.
Persistent branch office access.
Extranet for business partners.
Dial-up and VPNs with RADIUSauthentication
-
8/2/2019 VPN Introduction and Scenarios
49/82
VPN Remote Access for Employees
-
8/2/2019 VPN Introduction and Scenarios
50/82
VPN Remote Access for Employees
h Off
-
8/2/2019 VPN Introduction and Scenarios
51/82
Router-to-Router Branch Office
Connection
B h Offi C i (R
-
8/2/2019 VPN Introduction and Scenarios
52/82
Branch Office Connection (Router-
to-Router)
-
8/2/2019 VPN Introduction and Scenarios
53/82
VPN Based Extranet
Di l d VPNS i h RADIUS
-
8/2/2019 VPN Introduction and Scenarios
54/82
Dial-up and VPNS with RADIUS
Authentication
-
8/2/2019 VPN Introduction and Scenarios
55/82
Module
Configuring a VPN Environment
-
8/2/2019 VPN Introduction and Scenarios
56/82
Test Scenario
-
8/2/2019 VPN Introduction and Scenarios
57/82
Component Details
A computer running Windows Server 2003,Enterprise Edition, named DC1 that is acting as adomain controller, a Domain Name System (DNS)
server, a Dynamic Host Configuration Protocol(DHCP) server, and a certification authority (CA).
A computer running Windows Server 2003, StandardEdition, named VPN1 that is acting as a VPN server.VPN1 has two network adapters installed.
A computer running Windows Server 2003, StandardEdition, named IAS1 that is acting as a RemoteAuthentication Dial-in User Service (RADIUS) server.
-
8/2/2019 VPN Introduction and Scenarios
58/82
Component Details Cont.
A computer running Windows Server2003, Standard Edition, named IIS1 that
is acting as a Web and file server. A computer running Windows XP
Professional named CLIENT1 that is
acting as a VPN client.
-
8/2/2019 VPN Introduction and Scenarios
59/82
Private and Public Networks
Private
172.16.0.0/24
Simulated Public 10.0.0.0/24
-
8/2/2019 VPN Introduction and Scenarios
60/82
DC1
DC1 is a computer running Windows Server2003, Enterprise Edition that is providing thefollowing services: A domain controller for the example.com Active
Directory domain
.A DNS server for the example.com DNSdomain.
A DHCP server for the intranet network segment The enterprise root certification authority (CA)
for the example.com domain.
-
8/2/2019 VPN Introduction and Scenarios
61/82
Step 1: Configuring DC1
The first step is to configure thefollowing
Active Directory DNS
DHCP
CA
-
8/2/2019 VPN Introduction and Scenarios
62/82
Step 2: Configure IAS1
Install Windows Server
Provides RADIUS authentication,
authorization, and accounting for VPN1 Register server in active directory
Configure new remote access policies
Specify authentication method andencryption level
-
8/2/2019 VPN Introduction and Scenarios
63/82
Step 3: Configure IIS1
Configure this as a web server for webaccess as well as file sharing
-
8/2/2019 VPN Introduction and Scenarios
64/82
Step 4: Configure VPN1
Install VPN1 as a member server in thedomain
Configure TCP/IP for the Intranet andInternet sides
Configure and enable routing and remoteaccess
Setup the server to work with a RADIUSserver
Setup the DHCP relay agent parameters
-
8/2/2019 VPN Introduction and Scenarios
65/82
Step 5: Configure Client1
CLIENT1 is a computer runningWindows XP Professional that is acting
as a VPN client and gaining remoteaccess to intranet resources across thesimulated Internet. To configure
CLIENT1 as a VPN client for a PPTPconnection, perform the followingsteps:
-
8/2/2019 VPN Introduction and Scenarios
66/82
1.Connect CLIENT1 to the intranet networksegment.
2.On CLIENT1, install Windows XP
Professional as a member computer namedCLIENT1 of the example.com domain.
3.Add the VPNUser account in theexample.com domain to the local
Administrators group. 4.Log off and then log on using the VPNUseraccount in the example.com domain.
-
8/2/2019 VPN Introduction and Scenarios
67/82
5.From Control Panel-Network Connections,obtain properties on the Local Area Network
connection, and then obtain properties on theInternet Protocol (TCP/IP).
6.Click the Alternate Configuration tab, andthen click User configured.
7.In IP address, type 10.0.0.1. In Subnet mask,type 255.255.255.0. This is shown in thefollowing figure.
-
8/2/2019 VPN Introduction and Scenarios
68/82
-
8/2/2019 VPN Introduction and Scenarios
69/82
8.Click OK to save changes to the InternetProtocol (TCP/IP). Click OK to save changes
to the Local Area Network connection. 9.Shut down the CLIENT1 computer.
10.Disconnect the CLIENT1 computer fromthe intranet network segment, and connect it
to the simulated Internet network segment.
-
8/2/2019 VPN Introduction and Scenarios
70/82
11.Restart the CLIENT1 computer and log on usingthe VPNUser account.
12.On CLIENT1, open the Network Connections
folder from Control Panel. 13.In Network Tasks, click Create a new connection.
14.On the Welcome to the New Connection Wizardpage of the New Connection Wizard, click Next.
15.On the Network Connection Type page, clickConnect to the network at my workplace. This isshown in the following figure.
-
8/2/2019 VPN Introduction and Scenarios
71/82
-
8/2/2019 VPN Introduction and Scenarios
72/82
-
8/2/2019 VPN Introduction and Scenarios
73/82
-
8/2/2019 VPN Introduction and Scenarios
74/82
-
8/2/2019 VPN Introduction and Scenarios
75/82
19.Click Next. On the ConnectionAvailability page, click Next.
20.On the Completing the NewConnection Wizard page, click Finish.The Connect PPTPtoCorpnet dialog box
is displayed. This is shown in thefollowing figure.
-
8/2/2019 VPN Introduction and Scenarios
76/82
-
8/2/2019 VPN Introduction and Scenarios
77/82
21.Click Properties, and then click theNetworking tab.
22.On the Networking tab, in Type ofVPN, click PPTP VPN. This is shown inthe following figure
-
8/2/2019 VPN Introduction and Scenarios
78/82
-
8/2/2019 VPN Introduction and Scenarios
79/82
23.Click OK to save changes to thePPTPtoCorpnet connection. The Connect
PPTPtoCorpnet dialog box is displayed. 24.In User name, type example/VPNUser. InPassword, type the password you chose forthe VPNUser account. This is shown in the
following figure.
-
8/2/2019 VPN Introduction and Scenarios
80/82
-
8/2/2019 VPN Introduction and Scenarios
81/82
25.Click Connect. 26.When the connection is complete, run Internet
Explorer.
27.If prompted by the Internet Connection Wizard,configure it for a LAN connection. In Address, typehttp://IIS1.example.com/winxp.gif. You should seea Windows XP graphic.
28.Click Start, click Run, type \\IIS1\ROOT, andthen click OK. You should see the contents of theLocal Drive (C:) on IIS1.
29.Right-click the PPTPtoCorpnet connection, andthen click Disconnect.
-
8/2/2019 VPN Introduction and Scenarios
82/82
End of Chapter