Virtual Private Networks

dargspurΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 4 χρόνια και 2 μήνες)

81 εμφανίσεις

Virtual Private Networks

Alberto Pace

IT/IS Technical Meeting


January 2002

What is a VPN ?


A technology that allows to send confidential data
securely over the internet

IT/IS Technical Meeting


January 2002

What is a VPN ?


The remote computer can connect to the internet
using an arbitrary Internet Service Provider (ISP) and
have an IP Address in the intranet.


The computer can act as if it was on the intranet


IT/IS Technical Meeting


January 2002

Point
-
to
-
Point Tunneling Protocol


You can access a private network through the Internet or
other public network by using a virtual private network
(VPN)

connection with the Point
-
to
-
Point Tunneling
Protocol (PPTP).


Developed as an extension of the
Point
-
to
-
Point Protocol
(PPP)
,


PPTP tunnels or encapsulates, IP, IPX, or NetBEUI
protocols inside of PPP datagrams


PPTP does not require a dial
-
up connection. It does,
however, require IP connectivity between your computer
and the server


My understanding is that it uses Microsoft Point
-
to
-
Point
Encryption (MPPE)

IT/IS Technical Meeting


January 2002

Layer Two Tunneling Protocol


L2TP is an industry
-
standard Internet tunneling protocol
with roughly the same functionality as the
Point
-
to
-
Point
Tunneling Protocol (PPTP)
.


Like PPTP, L2TP encapsulates
Point
-
to
-
Point Protocol
(PPP)

frames, which in turn encapsulate IP, IPX, or NetBEUI
protocols


With L2TP, the computer performs all security checks and
validations, and enables data encryption, which makes it
much safer to send information over nonsecure networks
by using the new Internet Protocol security (IPSec)


In this case data transfer through a L2TP
-
enabled VPN is as
secure as within a single LAN at a corporate site

IT/IS Technical Meeting


January 2002

Internet Protocol security (IPSec)


IPSec provides machine
-
level authentication, as well
as data encryption.


IPSec negotiates between your computer and its
remote tunnel server before an L2TP connection is
established, which secures both passwords and data

IT/IS Technical Meeting


January 2002

Authentication Methods


Challenge Handshake Authentication Protocol (CHAP)


Uses Message Digest

5 (MD5) / challenge
-
response


MS
-
CHAP


Same as Chap + functionality to which LAN
-
based users are
accustomed


MS
-
CHAP is consistent with standard CHAP (superset of
functionalities)


You must at least use MS
-
CHAP to use MPPE (encryption)


MS
-
CHAP v2


both the client and the server prove their identities. Not only the client.
V2 ensures that you can configure a your connection can be
configured to connect to the expected server


Extensible Authentication Protocol (EAP)


Allows to use other security devices. EAP provides a standard
mechanism for support of additional authentication methods within
PPP including token cards, one
-
time passwords, public key
authentication using
smart cards
,
certificates
, and others

IT/IS Technical Meeting


January 2002

Types of VPNs


Router
-
to
-
Router

IT/IS Technical Meeting


January 2002

Types of VPNs


Remote Access VPNs

IT/IS Technical Meeting


January 2002

Tests at CERN


PCAP7 (computer in my office)

IT/IS Technical Meeting


January 2002

From the client


The machine we have in on the intranet only. We have
to simulate internet/intranet.


The page
http://cern.ch/Win/Temp/vpn.asp

considers
intranet the address 137.138.32.xxx

IT/IS Technical Meeting


January 2002

Connect to the VPN


From “My Network Places”


Right
-
Click


“Properties”


“Create New Connection”

IT/IS Technical Meeting


January 2002

Try to connect

IT/IS Technical Meeting


January 2002

Conclusions so far


If we open the pptp port on address 137.138.33.62, we have
today a working solution with the following limitations


Uses PPTP and Microsoft Point
-
to
-
Point Encryption


Windows computer have all necessary software natively


Windows Machines can be identified (as member of the
domain or an ad
-
hoc domain)


Security is strengthened by domain logon that can be
tightened to anything you want


This is the current “industry standard”


Used world
-
wide, secure and proven technology


Evolution towards L2TP and IPSec coming, but slowly
(requires heavy infrastructure)


IT/IS Technical Meeting


January 2002

More conclusion so far


Using this technology, we could open rapidly a VPN service for
WINDOWS users


Time to install and configure the VPN server ~ 8 hours


Time to install a windows client that has already TCP/IP connectivity ~
1 minute


Support for Linux users could come for the “community”


May be very expensive to formally support Linux clients


Not a standard technology


to my knowledge, no companies have
“roaming linux users” on the internet to the same extent that we have


Deploying the IPsec infrastructure to support L2TP will require an
administrative office to distribute, revoke and maintain computer
certificates and user certificates.


May not be possible within the current resources / May require several
years


Yet another computer Registration ? Yet another user Registration ?


Should try to have LANDB and CCDB moving in this direction. Only if this
happens the investment can be justified.