Beruflich Dokumente
Kultur Dokumente
Network
Chapter 9
Learning Objectives
Understand the components and essential
operations of virtual private networks (VPNs)
Describe the different types of VPNs
Create VPN setups such as mesh or hub-and-
spoke configurations
Choose the right tunneling protocol for your VPN
Enable secure remote access for individual users
via a VPN
Observe best practices for configuring and
maintaining VPNs effectively
VPNs
Goal: Provide a cost-effective and secure way to
connect businesses to one another and remote
workers to office networks
Encapsulate and encrypt data being transmitted
Use authentication to ensure that only approved
users can access the VPN
Provide a means of secure point-to-point
communications over the public Internet
VPN Components and
Operations
Hardware devices
Can have two endpoints or terminators
Can have a (virtual) tunnel
Software that performs security-related
activities
Devices That Form the Endpoints
of the VPN
IP encapsulation
Data payload encryption
Encrypted authentication
IP Encapsulation
Provides a high degree of protection
VPN encapsulates actual data packets within
packets that use source and destination addresses
of VPN gateway
Source and destination information of actual data
packets are completely hidden
Because a VPN tunnel is used, source and
destination IP addresses of actual data packets can
be in private reserved blocks not usually routable
over the Internet
Data Payload Encryption
Transport method
Tunnel method
Encrypted Authentication
Site-to-site VPN
Links two or more networks
Client-to-site VPN
Makes a network accessible to remote users
who need dial-in access
VPN Appliances
Hardware devices specially designed to terminate
VPNs and join multiple LANs
Permit connections, but do not provide other
services (eg, file sharing, printing)
Enable connections of more tunnels and users than
software systems
Examples
SonicWALL series
Symantec Firewall/VPN appliance
Advantage of Using Hardware
Systems
Software VPN Systems
Generally less expensive than hardware
systems
Tend to scale better for fast-growing
networks
Examples
F-Secure VPN+
Novell BorderManager VPN services
Check Point FireWall-1
VPN Combinations of Hardware
and Software
If two participants
Configuration is relatively straightforward in
terms of expense, technical difficulty, and time
If three or more, several options
Mesh configuration
Hub-and-spoke arrangement
Hybrid setup
Mesh Configuration
Extranet
Enable firewalls and anti-virus software for
each remote user or business partner
Intranet
Establish usage limits
Set up anti-virus and firewall protection
Configurations and Extranet and
Intranet Access
Tunneling Protocols Used with
VPNs
IPSec/IKE
PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)
PPP over SSL (Point-to-Point Protocol over
Secure Sockets Layer)
PPP over SSH (Point-to-Point Protocol over
Secure Shell)
IPSec/IKE
IPSec provides:
Encryption of the data part of packets
Authentication
Encapsulation between two VPN hosts
Two security methods (AH and ESP)
Capability to work in two modes (transport and tunnel)
IKE provides:
Exchange of public and private keys
Ability to determine which encryption protocols should
be used to encrypt data that flows through VPN tunnel
PPTP
Developed by Microsoft for granting VPN access
to remote users over dial-up connections
Uses Microsoft Point-to-Point Encryption (MPPE)
to encrypt data
Useful if support for older clients is needed
Compatible with Network Address Translation
(NAT)
Replaced by L2TP
L2TP
Time consuming
Choose client software that is easy for end
users to install on their own to save you
time and effort
Chapter Summary