This article discusses some essential technical concepts associated with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and partners using the Internet and secures encrypted tunnels between locations. An Access VPN can be used to connect remote users to the enterprise network. The remote workstation or laptop uses an access circuit including Cable, DSL or Wireless to get in touch to a local Internet Provider (ISP). Having a client-initiated model, software on the remote workstation builds an encrypted tunnel through the laptop to the ISP using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The consumer must authenticate as a permitted VPN user with the ISP. Once which is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee which is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host depending upon where there network account is found. The ISP initiated model is less secure compared to client-initiated model because the encrypted tunnel is built from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is built with L2TP or L2F.
The Extranet VPN will connect partners to a company network because they build a safe and secure VPN connection from the business partner router towards the company VPN router or concentrator. The particular tunneling protocol utilized is dependent upon whether it is a router connection or even a remote dialup connection. The options for any router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a safe and secure connection using the same process with IPSec or GRE because the tunneling protocols. It is important to note that what makes VPN’s very economical and efficient is they leverage the present Internet for transporting company traffic. This is why a lot of companies are selecting IPSec because the security protocol of choice for guaranteeing that details are secure since it travels between routers or laptop and router. IPSec is comprised of 3DES encryption, IKE key exchange authentication and MD5 route authentication, that provide authentication, authorization and confidentiality.
Web Process Security (IPSec) – IPSec procedure may be worth noting because it this type of prevalent protection protocol used nowadays with Digital Personal Networking. IPSec is specific with RFC 2401 and developed as being an open standard for safe carry of Ip address throughout the public Web. The package framework is comprised of an Ip address header/IPSec header/Encapsulating Security Payload. IPSec offers encryption services with 3DES and authorization with MD5. Additionally there exists Web Key Exchange (IKE) and ISAKMP, which automate the distribution of secret keys among IPSec peer devices (concentrators and routers). These practices are needed for negotiating a single-way or two-way protection associations. IPSec protection associations are comprised of the encryption algorithm (3DES), hash algorithm (MD5) and an authorization technique (MD5). Access VPN implementations make use of 3 protection associations (SA) for each connection (transmit, receive and IKE). An enterprise network with many IPSec peer devices will employ a Certificate Power for scalability with the authorization procedure rather than IKE/pre-shared keys.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and affordable Internet for connectivity towards the company core office with WiFi, DSL and Cable access circuits from local Internet Service Providers. The primary problem is that company data must be protected since it travels throughout the Internet from the telecommuter laptop towards the company core office. The customer-initiated model will likely be utilized which builds an IPSec tunnel from each client laptop, that is terminated with a VPN concentrator. Each laptop will likely be configured with VPN client software, that can run with Windows. The telecommuter must first dial a local access number and authenticate with the ISP. The RADIUS server will authenticate each dial connection as being an authorized telecommuter. Once which is finished, the remote user will authenticate and authorize with Windows, Solaris or even a Mainframe server before starting any applications. You will find dual VPN concentrators that will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of those be unavailable.
Each concentrator is connected between the external router and the firewall. A new feature with the VPN concentrators prevent denial of service (DOS) attacks from the outside hackers that may affect network availability. The firewalls are configured to permit source and destination IP addresses, that are allotted to each telecommuter coming from a pre-defined range. As well, any application and protocol ports will likely be permitted with the firewall that is needed.
Extranet VPN Design – The Extranet VPN is designed to allow secure connectivity from each business partner office towards the company core office. Security is definitely the primary focus because the Internet will likely be utilized for transporting all data traffic from each business partner. There will be a circuit connection from each business partner which will terminate with a VPN router at the company core office. Each business partner and its peer VPN router at the core office will employ a router using a VPN module. That module provides IPSec and-speed hardware encryption of packets before these are transported throughout the Internet. Peer VPN routers at the company core office are dual homed to different multilayer switches for link diversity should among the links be unavailable. It is important that traffic from a single business partner doesn’t wind up at another business partner office. The switches can be found between internal and external firewalls and utilized for connecting public servers and the external DNS server. That isn’t a security alarm issue because the external firewall is filtering public Internet traffic.
Additionally filtering can be implemented at every network switch as well to prevent routes from being advertised or vulnerabilities exploited from having business partner connections at the company core office multilayer switches. Separate VLAN’s will likely be assigned at every network switch for every business partner to boost security and segmenting of subnet traffic. The tier 2 external lmjhjq will examine each packet and permit individuals with business partner source and destination IP address, application and protocol ports they require. Business partner sessions will have to authenticate using a RADIUS server. Once which is finished, they will authenticate at Windows, Solaris or Mainframe hosts before starting any applications.