This article discusses some important technical concepts associated with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business partners going online and secures encrypted tunnels between locations. An Access VPN is utilized to connect remote consumers to the enterprise network. The remote workstation or laptop uses an access circuit like Cable, DSL or Wireless to connect to a local Internet Service Provider (ISP). Having a client-initiated model, software on the remote workstation builds an encrypted tunnel through the laptop to the Internet service provider using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). An individual must authenticate as being a permitted VPN user with the ISP. Once which is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee which is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host based on where there network account is situated. The ISP initiated model is less secure than the client-initiated model considering that the encrypted tunnel is made from the Internet service provider to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is constructed with L2TP or L2F.
The Extranet VPN will connect business partners to a company network because they build a safe and secure VPN connection through the business partner router for the company VPN router or concentrator. The particular tunneling protocol utilized is dependent upon whether it be a router connection or a remote dialup connection. The choices for any router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a good connection utilizing the same process with IPSec or GRE because the tunneling protocols. It is important to note that what makes VPN’s very economical and efficient is they leverage the present Internet for transporting company traffic. This is why most companies are selecting IPSec because the security protocol preferred by guaranteeing that details are secure since it travels between routers or laptop and router. IPSec is comprised of 3DES encryption, IKE key exchange authentication and MD5 route authentication, which provide authentication, authorization and confidentiality.
Web Process Protection (IPSec) – IPSec procedure is worth noting since it this kind of prevalent protection process used today with Virtual Private Marketing. IPSec is specific with RFC 2401 and created as an open standard for safe transport of Ip address throughout the general public Web. The package framework is composed of an IP header/IPSec header/Encapsulating Security Payload. IPSec offers file encryption services with 3DES and authorization with MD5. Furthermore there is Web Key Trade (IKE) and ISAKMP, which systemize the syndication of secret secrets between IPSec peer gadgets (concentrators and routers). These protocols are needed for discussing one-way or two-way security organizations. IPSec security associations are comprised of an encryption algorithm (3DES), hash algorithm criteria (MD5) plus an authentication method (MD5). Access VPN implementations make use of 3 security associations (SA) for each connection (transmit, get and IKE). A company network with a lot of IPSec peer devices will use a Certification Power for scalability with the authorization process instead of IKE/pre-shared keys.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and affordable Internet for connectivity towards the company core office with WiFi, DSL and Cable access circuits from local Internet Companies. The main concern is that company data has to be protected because it travels throughout the Internet through the telecommuter laptop for the company core office. The customer-initiated model will be utilized which builds an IPSec tunnel from each client laptop, which can be terminated with a VPN concentrator. Each laptop is going to be configured with VPN client software, that will run with Windows. The telecommuter must first dial a local access number and authenticate using the ISP. The RADIUS server will authenticate each dial connection as an authorized telecommuter. Once which is finished, the remote user will authenticate and authorize with Windows, Solaris or a Mainframe server before starting any applications. There are dual VPN concentrators that will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of them be unavailable.
Each concentrator is connected in between the external router and the firewall. A whole new feature with all the VPN concentrators prevent denial of service (DOS) attacks from the outside hackers that could affect network availability. The firewalls are configured to permit source and destination IP addresses, which are assigned to each telecommuter from the pre-defined range. As well, any application and protocol ports will be permitted from the firewall that is required.
Extranet VPN Design – The Extranet VPN was created to allow secure connectivity from each business partner office to the company core office. Security will be the primary focus considering that the Internet will likely be useful for transporting all data traffic from each business partner. You will have a circuit connection from each business partner which will terminate at a VPN router at the company core office. Each business partner and its peer VPN router at the core office will employ a router with a VPN module. That module provides IPSec and-speed hardware encryption of packets before they are transported across the Internet. Peer VPN routers on the company core office are dual homed to different multilayer switches for link diversity should one of the links be unavailable. It is important that traffic from one business partner doesn’t find yourself at another business partner office. The switches are situated between external and internal firewalls and utilized for connecting public servers and the external DNS server. That isn’t a security alarm issue because the external firewall is filtering public Internet traffic.
Furthermore filtering can be implemented at every network switch as well to avoid routes from being advertised or vulnerabilities exploited from having business partner connections at the company core office multilayer switches. Separate VLAN’s will likely be assigned at each network switch for each business partner to improve security and segmenting of subnet traffic. The tier 2 external lmphip will examine each packet and permit those that have business partner source and destination IP address, application and protocol ports they need. Business partner sessions will need to authenticate with a RADIUS server. Once that is certainly finished, they are going to authenticate at Windows, Solaris or Mainframe hosts before starting any applications.