This article covers some essential technical concepts associated with a VPN. A Virtual Private Network (VPN) integrates remote employees, company offices, and business partners using the Internet and secures encrypted tunnels between locations. An Access VPN can be used to connect remote consumers to the enterprise network. The remote workstation or laptop will make use of an access circuit like Cable, DSL or Wireless to get in touch to a local Internet Service Provider (ISP). Using a client-initiated model, software on the remote workstation builds an encrypted tunnel through the laptop to the ISP using IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). An individual must authenticate as being a permitted VPN user with the ISP. Once which is finished, the ISP builds an encrypted tunnel to the company VPN router or concentrator. TACACS, RADIUS or Windows servers will authenticate the remote user as an employee that is allowed access to the company network. With that finished, the remote user must then authenticate to the local Windows domain server, Unix server or Mainframe host depending upon where there network account is located. The Internet service provider initiated model is less secure compared to the client-initiated model since the encrypted tunnel is built from the ISP to the company VPN router or VPN concentrator only. As well the secure VPN tunnel is constructed with L2TP or L2F.
The Extranet VPN will connect business partners to a company network because they build a secure VPN connection from the business partner router for the company VPN router or concentrator. The specific tunneling protocol utilized is determined by whether it is a router connection or even a remote dialup connection. The alternatives for any router connected Extranet VPN are IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connections will utilize L2TP or L2F. The Intranet VPN will connect company offices across a safe and secure connection utilizing the same process with IPSec or GRE since the tunneling protocols. It is essential to note that the thing that makes VPN’s very cost effective and efficient is because they leverage the current Internet for transporting company traffic. That is why most companies are selecting IPSec as the security protocol of choice for guaranteeing that information is secure as it travels between routers or laptop and router. IPSec is composed of 3DES encryption, IKE key exchange authentication and MD5 route authentication, which provide authentication, authorization and confidentiality.
Internet Protocol Protection (IPSec) – IPSec procedure may be worth noting because it this type of prevalent protection process utilized nowadays with Digital Personal Networking. IPSec is specific with RFC 2401 and developed as being an open up regular for safe transport of Ip address throughout the public Internet. The packet structure is composed of an Ip address header/IPSec header/Encapsulating Protection Payload. IPSec provides encryption services with 3DES and authentication with MD5. Additionally there is certainly Internet Key Trade (IKE) and ISAKMP, which systemize the syndication of key keys among IPSec peer devices (concentrators and routers). These practices are essential for negotiating one-way or two-way security organizations. IPSec security associations are comprised of your encryption algorithm criteria (3DES), hash algorithm (MD5) and an authentication technique (MD5). Access VPN implementations utilize 3 protection organizations (SA) for each link (transfer, get and IKE). A company network with lots of IPSec peer devices will employ a Certificate Power for scalability using the authentication procedure instead of IKE/pre-shared keys.
Laptop – VPN Concentrator IPSec Peer Connection
1. IKE Security Association Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response – (RADIUS Server Authentication)
4. Mode Config Response / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design – The Access VPN will leverage the availability and affordable Internet for connectivity for the company core office with WiFi, DSL and Cable access circuits from local Internet Service Providers. The main concern is that company data should be protected since it travels over the Internet through the telecommuter laptop to the company core office. The customer-initiated model will likely be utilized which builds an IPSec tunnel from each client laptop, that is terminated in a VPN concentrator. Each laptop is going to be configured with VPN client software, that will run with Windows. The telecommuter must first dial a local access number and authenticate with the ISP. The RADIUS server will authenticate each dial connection as being an authorized telecommuter. Once which is finished, the remote user will authenticate and authorize with Windows, Solaris or perhaps a Mainframe server before starting any applications. There are dual VPN concentrators that will be configured for fail over with virtual routing redundancy protocol (VRRP) should one of them be unavailable.
Each concentrator is connected in between the external router and also the firewall. A new feature using the VPN concentrators prevent denial of service (DOS) attacks externally hackers that may affect network availability. The firewalls are configured to permit source and destination IP addresses, that are allotted to each telecommuter from the pre-defined range. As well, any application and protocol ports will likely be permitted through the firewall that is required.
Extranet VPN Design – The Extranet VPN is made to allow secure connectivity from each business partner office to the company core office. Security is the primary focus since the Internet will be employed for transporting all data traffic from each business partner. There will be a circuit connection from each business partner that can terminate at a VPN router in the company core office. Each business partner and its peer VPN router at the core office will use a router with a VPN module. That module provides IPSec and-speed hardware encryption of packets before they are transported across the Internet. Peer VPN routers at the company core office are dual homed to different multilayer switches for link diversity should one of the links be unavailable. It is essential that traffic in one business partner doesn’t find yourself at another business partner office. The switches are situated between external and internal firewalls and utilized for connecting public servers and also the external DNS server. That isn’t a security alarm issue since the external firewall is filtering public Internet traffic.
Furthermore filtering can be implemented at every network switch as well to avoid routes from being advertised or vulnerabilities exploited from having business partner connections at the company core office multilayer switches. Separate VLAN’s will be assigned at every network switch for each business partner to boost security and segmenting of subnet traffic. The tier 2 external lmphip will examine each packet and permit those that have business partner source and destination IP address, application and protocol ports they might require. Business partner sessions must authenticate with a RADIUS server. Once that is finished, they will authenticate at Windows, Solaris or Mainframe hosts before starting any applications.