This article covers some crucial technical principles connected with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and partners using the Internet and secures encrypted tunnels between locations. An Access VPN is utilized to connect remote users to the enterprise network. The remote workstation or laptop will use an access circuit including Cable, DSL or Wireless to get in touch to a local Internet Service Provider (ISP). Having a client-initiated model, software on the remote workstation builds an encrypted tunnel through the laptop to the Internet service provider using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The user must authenticate as being a permitted VPN user with the ISP. Once that is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee which is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host based on where there network account is found. The Internet service provider initiated model is less secure compared to the client-initiated model since the encrypted tunnel is made from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is constructed with L2TP or L2F.
The Extranet VPN will connect business partners to a company network by building a good VPN connection from the business partner router to the company VPN router or concentrator. The particular tunneling protocol utilized is dependent upon whether it be a router connection or a remote dialup connection. The alternatives for any router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a secure connection utilizing the same process with IPSec or GRE since the tunneling protocols. It is essential to note that exactly what makes VPN’s very economical and efficient is because they leverage the existing Internet for transporting company traffic. For this reason most companies are selecting IPSec as the security protocol of choice for guaranteeing that details are secure because it travels between routers or laptop and router. IPSec is composed of 3DES encryption, IKE key exchange authentication and MD5 route authentication, which offer authentication, authorization and confidentiality.
Internet Protocol Security (IPSec) – IPSec procedure may be worth mentioning because it this type of common security protocol utilized nowadays with Virtual Personal Marketing. IPSec is specific with RFC 2401 and developed as an open regular for safe carry of IP throughout the general public Web. The packet structure includes an Ip address header/IPSec header/Encapsulating Protection Payload. IPSec offers encryption solutions with 3DES and authentication with MD5. Additionally there is Web Key Exchange (IKE) and ISAKMP, which automate the syndication of secret secrets among IPSec peer gadgets (concentrators and routers). These practices are required for discussing a single-way or two-way protection organizations. IPSec protection associations are comprised of the file encryption algorithm (3DES), hash algorithm criteria (MD5) and an authentication technique (MD5). Accessibility VPN implementations utilize 3 security associations (SA) for each connection (transfer, receive and IKE). A business network with lots of IPSec peer devices will employ a Certificate Authority for scalability with the authorization procedure instead of IKE/pre-discussed keys.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and affordable Internet for connectivity to the company core office with WiFi, DSL and Cable access circuits from local Internet Service Providers. The main problem is that company data has to be protected because it travels throughout the Internet from the telecommuter laptop towards the company core office. The client-initiated model will be utilized which builds an IPSec tunnel from each client laptop, which can be terminated in a VPN concentrator. Each laptop will be configured with VPN client software, that can run with Windows. The telecommuter must first dial the local access number and authenticate using the ISP. The RADIUS server will authenticate each dial connection as being an authorized telecommuter. Once which is finished, the remote user will authenticate and authorize with Windows, Solaris or even a Mainframe server before starting any applications. There are dual VPN concentrators which will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of them be unavailable.
Each concentrator is connected in between the external router and also the firewall. A whole new feature with the VPN concentrators prevent denial of service (DOS) attacks externally hackers that may affect network availability. The firewalls are configured to permit source and destination IP addresses, that are allotted to each telecommuter coming from a pre-defined range. As well, any application and protocol ports will likely be permitted with the firewall that is required.
Extranet VPN Design – The Extranet VPN is made to allow secure connectivity from each business partner office for the company core office. Security will be the primary focus considering that the Internet is going to be employed for transporting all data traffic from each business partner. You will have a circuit connection from each business partner which will terminate in a VPN router on the company core office. Each business partner and its peer VPN router at the core office will use a router with a VPN module. That module provides IPSec and-speed hardware encryption of packets before they may be transported throughout the Internet. Peer VPN routers at the company core office are dual homed to various multilayer switches for link diversity should one of the links be unavailable. It is essential that traffic in one business partner doesn’t end up at another business partner office. The switches are situated between internal and external firewalls and employed for connecting public servers and the external DNS server. That isn’t a security alarm issue because the external firewall is filtering public Internet traffic.
Furthermore filtering can be implemented at every network switch as well to prevent routes from being advertised or vulnerabilities exploited from having business partner connections on the company core office multilayer switches. Separate VLAN’s will likely be assigned at every network switch for every business partner to boost security and segmenting of subnet traffic. The tier 2 external lmphip will examine each packet and permit individuals with business partner source and destination IP address, application and protocol ports they might require. Business partner sessions will have to authenticate having a RADIUS server. Once that is finished, they are going to authenticate at Windows, Solaris or Mainframe hosts before starting any applications.