This post covers some crucial technical concepts connected with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and partners using the Internet and secures encrypted tunnels between locations. An Access VPN is utilized to connect remote users to the enterprise network. The remote workstation or laptop will make use of an access circuit such as Cable, DSL or Wireless for connecting to a local Internet Service Provider (ISP). Using a client-initiated model, software on the remote workstation builds an encrypted tunnel through the laptop to the Internet service provider using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The consumer must authenticate as being a permitted VPN user with the ISP. Once that is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as being an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host based on where there network account is located. The Internet service provider initiated model is less secure than the client-initiated model because the encrypted tunnel is built from the Internet service provider to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is built with L2TP or L2F.
The Extranet VPN will connect partners to your company network by building a secure VPN connection from your business partner router for the company VPN router or concentrator. The specific tunneling protocol utilized depends upon be it a router connection or even a remote dialup connection. The choices for a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a secure connection using the same process with IPSec or GRE since the tunneling protocols. It is essential to note that the thing that makes VPN’s very cost effective and efficient is because they leverage the current Internet for transporting company traffic. For this reason many companies are selecting IPSec since the security protocol preferred by guaranteeing that details are secure because it travels between routers or laptop and router. IPSec is composed of 3DES encryption, IKE key exchange authentication and MD5 route authentication, which provide authentication, authorization and confidentiality.
Web Protocol Protection (IPSec) – IPSec procedure may be worth mentioning because it such a prevalent protection protocol used today with Virtual Private Marketing. IPSec is specified with RFC 2401 and created as an open up standard for secure transport of Ip address throughout the general public Web. The package structure is composed of an Ip address header/IPSec header/Encapsulating Protection Payload. IPSec provides file encryption solutions with 3DES and authorization with MD5. Additionally there is certainly Web Key Exchange (IKE) and ISAKMP, which systemize the syndication of key secrets among IPSec peer gadgets (concentrators and routers). These practices are needed for discussing one-way or two-way protection associations. IPSec protection associations are comprised of your file encryption algorithm criteria (3DES), hash algorithm criteria (MD5) and an authorization method (MD5). Accessibility VPN implementations utilize 3 protection associations (SA) per connection (transfer, receive and IKE). A company network with a lot of IPSec peer gadgets will utilize a Certificate Power for scalability with all the authorization process instead of IKE/pre-discussed secrets.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and inexpensive Internet for connectivity for the company core office with WiFi, DSL and Cable access circuits from local Internet Companies. The primary concern is that company data must be protected because it travels throughout the Internet from your telecommuter laptop for the company core office. Your client-initiated model will likely be utilized which builds an IPSec tunnel from each client laptop, that is terminated in a VPN concentrator. Each laptop will likely be configured with VPN client software, that will run with Windows. The telecommuter must first dial the local access number and authenticate with all the ISP. The RADIUS server will authenticate each dial connection as an authorized telecommuter. Once that is finished, the remote user will authenticate and authorize with Windows, Solaris or even a Mainframe server before starting any applications. You will find dual VPN concentrators that will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of them be unavailable.
Each concentrator is connected between the external router and also the firewall. A whole new feature with all the VPN concentrators prevent denial of service (DOS) attacks from the outside hackers that may affect network availability. The firewalls are configured to permit source and destination IP addresses, which are assigned to each telecommuter from a pre-defined range. As well, any application and protocol ports will likely be permitted with the firewall that is needed.
Extranet VPN Design – The Extranet VPN was created to allow secure connectivity from each business partner office for the company core office. Security is definitely the primary focus because the Internet will likely be useful for transporting all data traffic from each business partner. You will see a circuit connection from each business partner that will terminate in a VPN router at the company core office. Each business partner along with its peer VPN router at the core office will utilize a router with a VPN module. That module provides IPSec and high-speed hardware encryption of packets before they are transported throughout the Internet. Peer VPN routers at the company core office are dual homed to various multilayer switches for link diversity should one of many links be unavailable. It is crucial that traffic in one business partner doesn’t wind up at another business partner office. The switches are located between internal and external firewalls and useful for connecting public servers and also the external DNS server. That isn’t a security issue because the external firewall is filtering public Internet traffic.
Additionally filtering can be implemented at each network switch as well to prevent routes from being advertised or vulnerabilities exploited from having business partner connections at the company core office multilayer switches. Separate VLAN’s will likely be assigned at each network switch for each and every business partner to enhance security and segmenting of subnet traffic. The tier 2 external lmjhjq will examine each packet and permit those that have business partner source and destination IP address, application and protocol ports they need. Business partner sessions will need to authenticate with a RADIUS server. Once that is finished, they are going to authenticate at Windows, Solaris or Mainframe hosts before starting any applications.