Setting Up a Virtual Private

Network

Chapter 9
Learning Objectives
Understand the components and essential
operations of virtual private networks (VPNs)
Describe the different types of VPNs
Create VPN setups such as mesh or hub-and-
spoke configurations
Choose the right tunneling protocol for your VPN
Enable secure remote access for individual users
via a VPN
Observe best practices for configuring and
maintaining VPNs effectively
VPNs
Goal: Provide a cost-effective and secure way to
connect businesses to one another and remote
workers to office networks
Encapsulate and encrypt data being transmitted
Use authentication to ensure that only approved
users can access the VPN
Provide a means of secure point-to-point
communications over the public Internet
VPN Components and
Operations

Essential components that make up a VPN

How VPNs enable data to be accessed
securely
Advantages and disadvantages of using
VPNs compared to leased lines
How VPNs extend network boundaries
Components within VPNS

Hardware devices
 Can have two endpoints or terminators
 Can have a (virtual) tunnel
Software that performs security-related
activities
Devices That Form the Endpoints
of the VPN

Server running on a tunneling protocol

VPN appliance
A firewall/VPN combination
A router-based VPN
Essential Activities of VPNs

IP encapsulation
Data payload encryption
Encrypted authentication
IP Encapsulation
Provides a high degree of protection
VPN encapsulates actual data packets within
packets that use source and destination addresses
of VPN gateway
 Source and destination information of actual data
packets are completely hidden
Because a VPN tunnel is used, source and
destination IP addresses of actual data packets can
be in private reserved blocks not usually routable
over the Internet
Data Payload Encryption

Transport method
Tunnel method
Encrypted Authentication

Hosts are authenticated by exchanging long

blocks of code (keys) that are generated by
complex formulas (algorithms)
Types of keys that can be exchanged
 Symmetric keys
 Asymmetric keys
Advantages and Disadvantages
of VPNs
VPNs Extend a Network’s
Boundaries

To deal with the increased risk caused by

VPN connections
 Use two or more authentication tools to identify
remote users
 Integrate virus protection
 Set usage limits
Types of VPNs

Site-to-site VPN
 Links two or more networks
Client-to-site VPN
 Makes a network accessible to remote users
who need dial-in access
VPN Appliances
Hardware devices specially designed to terminate
VPNs and join multiple LANs
Permit connections, but do not provide other
services (eg, file sharing, printing)
Enable connections of more tunnels and users than
software systems
Examples
 SonicWALL series
 Symantec Firewall/VPN appliance
Advantage of Using Hardware
Systems
Software VPN Systems
Generally less expensive than hardware
systems
Tend to scale better for fast-growing
networks
Examples
 F-Secure VPN+
 Novell BorderManager VPN services
 Check Point FireWall-1
VPN Combinations of Hardware
and Software

Cisco 3000 Series VPN Concentrator

 Gives users the choice of operating in:
 Client mode, or
 Network extension mode
VPN Combinations of Different
Vendors’ Products

Challenge: Get all pieces to talk to and

communicate with one another successfully
Pick a standard security protocol that is
widely used and that all devices support
(eg, IPSec)
VPN Setups

If two participants
 Configuration is relatively straightforward in
terms of expense, technical difficulty, and time
If three or more, several options
 Mesh configuration
 Hub-and-spoke arrangement
 Hybrid setup
Mesh Configuration

Connects multiple computers that each have

a security association (SA) with all other
machines in the VPN
Hub-and-Spoke Configuration
A single VPN router maintains records of
all SAs
Any device that wishes to participate in the
VPN need only connect to the central router
Easy to increase size of the VPN
The requirement that all communications
flow into and out of the central router slows
down communications
Hybrid Configuration

Benefits from the strengths of each—

scalability of hub-and-spoke option and
speed of mesh option
Use mesh for most important branches of
the network and critical communications
Use hub-and-spoke for overseas branches
and for new new branch offices
Configurations and Extranet and
Intranet Access

Extranet
 Enable firewalls and anti-virus software for
each remote user or business partner
Intranet
 Establish usage limits
 Set up anti-virus and firewall protection
Configurations and Extranet and
Intranet Access
Tunneling Protocols Used with
VPNs

IPSec/IKE
PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)
PPP over SSL (Point-to-Point Protocol over
Secure Sockets Layer)
PPP over SSH (Point-to-Point Protocol over
Secure Shell)
IPSec/IKE
IPSec provides:
 Encryption of the data part of packets
 Authentication
 Encapsulation between two VPN hosts
 Two security methods (AH and ESP)
 Capability to work in two modes (transport and tunnel)
IKE provides:
 Exchange of public and private keys
 Ability to determine which encryption protocols should
be used to encrypt data that flows through VPN tunnel
PPTP
Developed by Microsoft for granting VPN access
to remote users over dial-up connections
Uses Microsoft Point-to-Point Encryption (MPPE)
to encrypt data
Useful if support for older clients is needed
Compatible with Network Address Translation
(NAT)
Replaced by L2TP
L2TP

Extension to PPP that enables dial-up users

to establish a VPN connection to a remote
access server
Uses IPSec to encrypt data
Incompatible with NAT but provides a
higher level of encryption and
authentication
PPP Over SSL and
PPP Over SSH
Two UNIX based methods for creating VPNs
Both combine existing tunnel system (PPP) with a
way of encrypting data in transport (SSL or SSH)
 SSL
 Public key encryption system used to provide secure
communications over the Web
 SSH
 UNIX secure shell that uses secret key encryption (pre-shared
key) to authenticate participants
When to Use Different VPN
Protocols
Enabling Remote Access
Connections within VPNs

Issue the user VPN client software

Make sure user’s computer is equipped with
anti-virus software and a firewall
May need to obtain a key for the remote
user if you plan to use IPSec to make VPN
connection as well
Configuring the Server

Major operating systems include ways of

providing secure remote access
 Linux
 IP Masquerade feature
 Windows XP and 2000
 Network Connections Wizard
Configuring the Server
Configuring the Server
Configuring Clients

Involves either installing and configuring

VPN client software or using the Network
Connection Wizard
Client workstation must be protected by a
firewall
VPN Best Practices

Security policy rules that specifically apply

to the VPN
Integration of firewall packet filtering with
VPN traffic
Auditing the VPN to make sure it is
performing acceptably
The Need for a VPN Policy
Identify who can use the VPN
Ensure that all users know what constitutes
proper use of the VPN
 Whether and how authentication is to be used
 Whether split tunneling is permitted
 How long users can be connected at any one
session
 Whether virus protection is included
Packet Filtering and VPNs

Encryption and decryption of data can be

performed either outside the packet-filtering
perimeter or inside it
PPTP Filter Rules
L2TP and IPSec
Packet-Filtering Rules
Auditing and Testing the VPN

Time consuming
Choose client software that is easy for end
users to install on their own to save you
time and effort
Chapter Summary

Configuration and operations of VPNs