This article discusses some important technical principles associated with VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business partners going online and secures encrypted tunnels between locations. An Access VPN can be used to connect remote consumers to the enterprise network. The remote workstation or laptop will use an access circuit including Cable, DSL or Wireless to connect to a local Internet Company (ISP). Having a client-initiated model, software on the remote workstation builds an encrypted tunnel through the laptop to the Internet service provider using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). An individual must authenticate as being a permitted VPN user with the ISP. Once that is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as being an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host based on where there network account is found. The Internet service provider initiated model is less secure compared to client-initiated model since the encrypted tunnel is constructed from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is built with L2TP or L2F.
The Extranet VPN will connect business partners to some company network by building a secure VPN connection through the business partner router to the company VPN router or concentrator. The specific tunneling protocol utilized is dependent upon whether it is a router connection or even a remote dialup connection. The alternatives for a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a safe and secure connection using the same process with IPSec or GRE as the tunneling protocols. It is important to note that the thing that makes VPN’s very affordable and efficient is because they leverage the current Internet for transporting company traffic. That is why a lot of companies are selecting IPSec because the security protocol of choice for guaranteeing that information is secure because it travels between routers or laptop and router. IPSec is composed of 3DES encryption, IKE key exchange authentication and MD5 route authentication, which provide authentication, authorization and confidentiality.
Internet Protocol Security (IPSec) – IPSec operation may be worth mentioning since it such a common security protocol used today with Digital Private Marketing. IPSec is specific with RFC 2401 and developed as an open up standard for safe transport of IP across the general public Internet. The packet framework is comprised of an Ip address header/IPSec header/Encapsulating Protection Payload. IPSec provides file encryption services with 3DES and authentication with MD5. Additionally there is Web Key Exchange (IKE) and ISAKMP, which automate the syndication of secret secrets among IPSec peer gadgets (concentrators and routers). Those protocols are essential for negotiating one-way or two-way protection associations. IPSec security associations consist of the encryption algorithm criteria (3DES), hash algorithm criteria (MD5) as well as an authorization technique (MD5). Accessibility VPN implementations make use of 3 protection organizations (SA) per link (transfer, get and IKE). An enterprise network with many IPSec peer devices will employ a Certification Power for scalability with the authentication process as opposed to IKE/pre-shared keys.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and affordable Internet for connectivity to the company core office with WiFi, DSL and Cable access circuits from local Internet Service Providers. The primary concern is that company data should be protected because it travels throughout the Internet from the telecommuter laptop to the company core office. The client-initiated model is going to be utilized which builds an IPSec tunnel from each client laptop, which can be terminated in a VPN concentrator. Each laptop is going to be configured with VPN client software, that can run with Windows. The telecommuter must first dial a neighborhood access number and authenticate with the ISP. The RADIUS server will authenticate each dial connection being an authorized telecommuter. Once which is finished, the remote user will authenticate and authorize with Windows, Solaris or a Mainframe server before starting any applications. You will find dual VPN concentrators which will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of those be unavailable.
Each concentrator is connected between the external router and also the firewall. A new feature using the VPN concentrators prevent denial of service (DOS) attacks from the outside hackers that could affect network availability. The firewalls are configured to permit source and destination IP addresses, which can be assigned to each telecommuter from the pre-defined range. As well, any application and protocol ports will be permitted from the firewall that is required.
Extranet VPN Design – The Extranet VPN was created to allow secure connectivity from each business partner office towards the company core office. Security is definitely the primary focus considering that the Internet is going to be useful for transporting all data traffic from each business partner. There will be a circuit connection from each business partner that will terminate at a VPN router on the company core office. Each business partner and its peer VPN router on the core office will employ a router having a VPN module. That module provides IPSec and high-speed hardware encryption of packets before these are transported across the Internet. Peer VPN routers on the company core office are dual homed to several multilayer switches for link diversity should one of the links be unavailable. It is crucial that traffic from a single business partner doesn’t find yourself at another business partner office. The switches are situated between internal and external firewalls and useful for connecting public servers and the external DNS server. That isn’t a security issue because the external firewall is filtering public Internet traffic.
In addition filtering can be implemented each and every network switch as well to avoid routes from being advertised or vulnerabilities exploited from having business partner connections on the company core office multilayer switches. Separate VLAN’s will be assigned at each network switch for each business partner to boost security and segmenting of subnet traffic. The tier 2 external lmphip will examine each packet and permit those with business partner source and destination IP address, application and protocol ports they need. Business partner sessions will have to authenticate using a RADIUS server. Once that is certainly finished, they will likely authenticate at Windows, Solaris or Mainframe hosts before starting any applications.