This article discusses some crucial technical concepts associated with VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business partners going online and secures encrypted tunnels between locations. An Access VPN is used to connect remote consumers to the enterprise network. The remote workstation or laptop will make use of an access circuit such as Cable, DSL or Wireless to connect to a local Internet Service Provider (ISP). With a client-initiated model, software on the remote workstation builds an encrypted tunnel from the laptop to the Internet service provider using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The user must authenticate as being a permitted VPN user with the ISP. Once that is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host based upon where there network account is found. The Internet service provider initiated model is less secure than the client-initiated model since the encrypted tunnel is constructed from the Internet service provider to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is constructed with L2TP or L2F.
The Extranet VPN will connect business partners to a company network because they build a safe and secure VPN connection from the business partner router for the company VPN router or concentrator. The particular tunneling protocol utilized is determined by be it a router connection or perhaps a remote dialup connection. The alternatives to get a router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a safe and secure connection using the same process with IPSec or GRE as the tunneling protocols. It is essential to note that what makes VPN’s very cost effective and efficient is they leverage the present Internet for transporting company traffic. That is why many companies are selecting IPSec as the security protocol of choice for guaranteeing that details are secure since it travels between routers or laptop and router. IPSec includes 3DES encryption, IKE key exchange authentication and MD5 route authentication, that provide authentication, authorization and confidentiality.
Web Process Protection (IPSec) – IPSec procedure may be worth mentioning because it this kind of common protection process utilized nowadays with Virtual Personal Marketing. IPSec is specific with RFC 2401 and developed as an open up regular for secure transport of IP over the public Web. The packet structure includes an IP header/IPSec header/Encapsulating Protection Payload. IPSec provides encryption solutions with 3DES and authentication with MD5. In addition there exists Web Key Exchange (IKE) and ISAKMP, which systemize the syndication of key secrets between IPSec peer devices (concentrators and routers). Those protocols are essential for discussing one-way or two-way protection associations. IPSec protection associations consist of an encryption algorithm criteria (3DES), hash algorithm criteria (MD5) as well as an authentication method (MD5). Accessibility VPN implementations utilize 3 protection associations (SA) per link (transmit, get and IKE). A business network with lots of IPSec peer devices will utilize a Certification Authority for scalability using the authentication process instead of IKE/pre-shared secrets.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and inexpensive Internet for connectivity for the company core office with WiFi, DSL and Cable access circuits from local Internet Providers. The main problem is that company data has to be protected since it travels over the Internet from the telecommuter laptop for the company core office. The customer-initiated model is going to be utilized which builds an IPSec tunnel from each client laptop, which can be terminated in a VPN concentrator. Each laptop is going to be configured with VPN client software, that will run with Windows. The telecommuter must first dial a neighborhood access number and authenticate using the ISP. The RADIUS server will authenticate each dial connection as an authorized telecommuter. Once that is certainly finished, the remote user will authenticate and authorize with Windows, Solaris or perhaps a Mainframe server before starting any applications. You can find dual VPN concentrators that might be configured for fail over with virtual routing redundancy protocol (VRRP) should one of them be unavailable.
Each concentrator is connected in between the external router and the firewall. A new feature using the VPN concentrators prevent denial of service (DOS) attacks externally hackers which could affect network availability. The firewalls are configured to permit source and destination IP addresses, which are assigned to each telecommuter from the pre-defined range. As well, any application and protocol ports is going to be permitted through the firewall that is needed.
Extranet VPN Design – The Extranet VPN is designed to allow secure connectivity from each business partner office for the company core office. Security is the primary focus since the Internet is going to be employed for transporting all data traffic from each business partner. You will see a circuit connection from each business partner that can terminate in a VPN router on the company core office. Each business partner as well as its peer VPN router on the core office will utilize a router with a VPN module. That module provides IPSec and high-speed hardware encryption of packets before these are transported over the Internet. Peer VPN routers on the company core office are dual homed to various multilayer switches for link diversity should one of many links be unavailable. It is essential that traffic in one business partner doesn’t wind up at another business partner office. The switches are located between internal and external firewalls and employed for connecting public servers and the external DNS server. That isn’t a security alarm issue since the external firewall is filtering public Internet traffic.
In addition filtering can be implemented at each network switch as well to avoid routes from being advertised or vulnerabilities exploited from having business partner connections on the company core office multilayer switches. Separate VLAN’s is going to be assigned at each network switch for each business partner to boost security and segmenting of subnet traffic. The tier 2 external lmjhjq will examine each packet and permit individuals with business partner source and destination IP address, application and protocol ports they might require. Business partner sessions must authenticate with a RADIUS server. Once that is certainly finished, they are going to authenticate at Windows, Solaris or Mainframe hosts before starting any applications.