Chapter 11 Setting Up a Virtual Private Network Objectives After reading this chapter and completing the exercises, you will be able to: Explain the components and essential operations of virtual private networks (VPNs) Describe the different types of VPNs Create VPN setups, such as mesh or hub-and-spoke configurations Choose the right tunneling protocol for your VPN Enable secure remote access for individual users via a VPN Recommend best practices for effective configuration and maintenance of VPNs VPN Components and Operations 1. The goal of VPNs is to provide a cost-effective and secure way to connect businesses to one another and remote workers to office networks. If remote branch offices were to connect to one another using a LANbased file-sharing protocol, such as NetBIOS or AppleTalk, the results could be disastrous; the company’s sensitive personnel information, job data, and accounting department records could all become accessible to intruders who are able to either guess or obtain valid usernames and passwords. Because multinational corporations may well need to connect branch offices in various countries, VPNs provide an ideal means of communication. VPN Components 1. In terms of hardware, the following statements are true: A VPN can have two endpoints or terminators. Endpoints are hardware or software devices that perform encryption to secure data, authentication to make sure the host requesting the data is an approved user of the VPN, and encapsulation to protect the integrity of the information being sent. A VPN can have a tunnel. A tunnel is a secure channel used by the VPN and runs through the Internet from one endpoint to another. 2. The devices that form the endpoints of the VPN (these are often said to “terminate” the VPN) can be one of the following: Endpoints of VPN A server running a tunneling protocol A VPN appliance, which is a special hardware device devoted to setting up VPN communications A firewall/VPN combination; many high-end firewall programs support VPN setups as part of their built-in features A router-based VPN; routers that support IPSec can be set up at the perimeter of the LANs to be connected Essential Activities of VPNs 1. Because the VPN uses the Internet to transfer information from one computer or LAN to another, the data needs to be well protected. IP Encapsulation 1. VPNs protect packets by performing IP encapsulation, the process of enclosing a packet within another one that has a different IP source and destination information in order to provide a high degree of protection. 2. The benefit of encapsulating IP packets within other packets is that the source and destination information of the actual data packets (the ones being encapsulated) are completely hidden. The VPN encapsulates the actual data packets within packets that use the source and destination addresses of the VPN gateway. Data Payload Encryption 1. One of the big benefits of using VPNs is the fact that they encrypt the data portion of the packets that pass through them. They do not encrypt the header information within packets—only the data payload that the packets carry. The encryption can be performed in one of two ways: transport method and tunnel method. Encrypted Authentication 1. Two types of keys can be exchanged in an encrypted transaction: Symmetric keys: The keys are exactly the same. The two hosts exchange the same secret key to verify their identities to one another. Asymmetric keys: Each participant has a different secret key called a private key. The private key is used to generate a public key. The participants in the transaction exchange their public keys. Each can then use the other’s public key to encrypt information, such as the body of an e-mail message. When the recipient receives the encrypted message, he or she can decrypt it using the private key. Benefits and Drawbacks of VPNs 1. The advantages and disadvantages of VPNs are summarized in the following table: Advantages Less expensive than leased lines Disadvantages VPNs can still be expensive, especially if you use multiple VPN appliances Scalability and flexibility; allows many different computers to communicate over many different networks Uses the unregulated and often unreliable Internet All traffic that passes through the VPN is encrypted You can control how the VPN is configured Complexity VPN client software may not be compatible with all desktops; testing needs to be done, which can be time consuming VPNs Extend a Network's Boundaries 1. Each VPN connection extends your network to a new location that is out of your control, and each such connection can open up your network to intrusions, viruses, or other problems. You need to take extra care with users who connect to the VPN through always-on connections. Here are some suggestions for how to deal with the increased risk. Dealing with Increased Risk Use of two or more authentication tools to identify remote users Integrate virus protection Set usage limits Quick Quiz 1. A VPN can have two _____ or terminators. Answer: endpoints 2. When using the _____ method of data encryption, the host encrypts traffic when it is generated; the data part of packets is encrypted, but not the headers. Answer: transport 3. If your VPN's _____ is not configured properly, you can easily expose your corporate network. Answer: authorization 4. _____ authentication adds something the user possesses, such as a token or smart card, and something physically associated with the user, such as fingerprints or retinal scans. Answer: Multifactor Types of VPNs 1. In general, you can set up two different types of VPNs. The first type links two or more networks and is called a site-to-site VPN. The second type makes a network accessible to remote users who need dial-in access and is called a client-to-site VPN. The two types of VPNs are not mutually exclusive; many large corporations link the central office to one or more branch locations using site-to-site VPNs, and they also provide dial-in access to the central office by means of a client-to-site VPN. VPN Appliances 1. One way to set up a VPN is to use a hardware device such as a router that has been configured to use IPSec or another VPN protocol. Another option is to obtain a VPN appliance, a hardware device specially designed to terminate VPNs and join multiple LANs. VPN appliances can permit connections between large numbers of users or multiple networks, but they don’t provide other services such as file sharing and printing. 2. One VPN appliance that has a strong reputation is the SonicWALL series of VPN hardware devices. This series is comprised of nine different VPN products. 3. Another widely used VPN appliance is the Symantec Firewall/VPN appliance. Similar to the SonicWALL, the Symantec Firewall/VPN appliance is a series of different models. Each model is an integrated security VPN networking device that provides secure and cost-effective Internet connectivity between locations. Software VPN Systems 1. Software VPNs are generally less expensive than hardware systems, and they tend to scale better for fastgrowing networks. One of the popular software VPN products is F-Secure VPN+. This product supports traveling employees who need private access to a corporate LAN or intranet from any dial-up location, IT staff who need the ability to secure internal networks and partition parts of the network, and corporate partners who require secure connections to a company’s data network for business collaboration. F-Secure VPN+ supports Windows, Linux, and Solaris Sparc clients and servers as well as gateways. 2. Another widely used software VPN is Novell BorderManager VPN services. This software-based VPN supports both the TCP/IP protocol as well as IPX/SPX (another LAN protocol), which is found on older Novell networks. BorderManager can support up to 256 sites per tunnel and can handle up to 1,000 dial-in users per server. Novell BorderManager VPN clients run on Windows 95, 98, NT 4.0, 2000, Me, and XP. VPN Combinations of Hardware and Software 1. You may also use VPN systems that implement both VPN appliances and client software. The Cisco 3000 Series VPN Concentrator is another family of five different models of products. Supporting from 100 to over 10,000 simultaneous VPN users, the Cisco 3000 Series VPNs provide solutions for the smallest office or branch location to the largest enterprise setting. Access levels can be set either by the individual user or by groups, which allows for easy configuration and maintenance of company security policies. Combination VPNs 1. You may also be forced to operate a VPN system that is “mixed” not only in terms of using both hardware and software, but also by different vendors. You might have one company that issues certificates, another that handles the client software, another that handles the VPN termination, and so on. The challenge is to get all of these pieces to talk to one another and communicate with one another successfully. Quick Quiz 1. A VPN that links two or more networks is a(n) ____ VPN. Answer: site-to-site 2. A hardware device specially designed to terminate VPNs and join multiple LANs is known as a VPN _____. Answer: appliance 3. _____ VPN+ is a popular software package for VPN. Answer: F-Secure VPN Setups 1. If you have only two participants in a VPN, the configuration is relatively straightforward in terms of expense, technical difficulty, and the time involved. However, when three or more networks or individuals need to be connected, several options arise. Mesh Configuration 1. In a mesh configuration, each participant (that is, network, router, or computer) in the VPN has an approved relationship, called a security association (SA), with every other participant. In configuring the VPN, you need to specifically identify each of these participants to every other participant that uses the VPN. Before initiating a connection, each VPN hardware or software terminator checks its routing table or SA table to see if the other participant has an SA with it. Hub-and-Spoke Configuration 1. In a hub-and-spoke configuration, a single VPN router contains records of all SAs in the VPN. Any LANs or computers that want to participate in the VPN need only connect to the central server, not to any other machines in the VPN. This setup makes it easy to increase the size of the VPN as more branch offices or computers are added. 2. The problem with hub-and-spoke VPNs is that the requirement that all communications flow into and out of the central router slows down communications, especially if branch offices are located on different continents around the world. In addition, the central router must have double the bandwidth of other connections in the VPN because it must handle both inbound and outbound traffic at the same time. The high-bandwidth charge for such a router can easily amount to several thousand dollars per month. Hybrid Configuration 1. Any critical communications with branch offices that need to be especially fast should be part of the mesh configuration. However, far-flung offices such as overseas branches can be part of a hub-and-spoke configuration. A hybrid setup that combines the two configurations benefits from the strengths of each one—the scalability of the hub-and spoke option and the speed of the mesh option. Configurations and Extranet and Intranet Access 1. Each end of the VPN represents an extension of your corporate network to a new location; you are, in effect, creating an extranet. The same security measures you take to protect your own network should be applied to the endpoints of the VPN. Each remote user or business partner should have firewalls and anti-virus software enabled, for instance. Quick Quiz 1. In a mesh configuration, each participant (that is, network, router, or computer) in the VPN has an approved relationship, called a(n) _____, with every other participant. Answer: security association 2. A(n) _____VPN is ideally suited for communications within an organization that has a central main office and a number of branch offices. Answer: hub-and-spoke 3. VPNs can also be used to give parts of your own organization access to other areas through a corporate _____. Answer: intranet Tunneling Protocols Used with VPNs 1. In the past, firewalls that provided for the establishment of VPNs used proprietary protocols. Such firewalls would only be able to establish connections with remote LANs that used the same brand of firewall. Today, the widespread acceptance of the IPSec protocol with the Internet Key Exchange (IKE) system means that proprietary protocols are used far less often. IPSec/IKE 1. IPSec is a standard for secure encrypted communications developed by the Internet Engineering Task Force (IETF). IPSec provides two security methods: Authenticated Headers (AH) and Encapsulating Security Payload (ESP). AH is used to authenticate packets, whereas ESP encrypts the data portion of packets. 2. IPSec can work in two different modes: transport mode and tunnel mode. Transport mode is used to provide secure communications between hosts over any range of IP addresses. Tunnel mode is used to create secure links between two private networks. Tunnel mode is the obvious choice for VPNs; however, there are some concerns about using tunnel mode in a client-to-site VPN because the IPSec protocol by itself does not provide for user authentication. However, when combined with an authentication system like Kerberos, IPSec can authenticate users. 3. IPSec is commonly combined with IKE as a means of using public key cryptography to encrypt data between LANs or between a client and a LAN. IKE provides for the exchange of public and private keys. PPTP 1. Point-to-Point Tunneling Protocol (PPTP) is commonly used by remote users who need to connect to a network using a dial-in modem connection. PPTP uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data that passes between the remote computer and the remote access server. L2TP 1. Layer 2 Tunneling Protocol (L2TP) is an extension of the protocol long used to establish dial-up connections on the Internet, Point-to-Point Protocol (PPP). L2TP uses IPSec rather than MPPE to encrypt data sent over PPP. PPP Over SSL/PPP Over SSH 1. Point-to-Point Protocol (PPP) over Secure Sockets Layer (SSL) and Point-to-Point Protocol (PPP) Over Secure Shell (SSH) are two UNIX-based methods for creating VPNs. Both combine an existing tunnel system (PPP) with a way of encrypting data in transport (SSL or SSH). 2. SSL is a public key encryption system used to provide secure communications over the World Wide Web. SSH is the UNIX secure shell, which was developed when serious security flaws were identified in Telnet. SSH enables users to perform secure authenticated logons and encrypted communications between a client and host. SSH requires that both client and host have a secret key in advance (a pre-shared key) in order to establish a connection. Quick Quiz 1. _____ is a standard for secure encrypted communications developed by the Internet Engineering Task Force (IETF). Answer: IPSec 2. ____ uses Microsoft Point-to-Point Encryption (MPPE) to encrypt data that passes between the remote computer and the remote access server. Answer: PPTP 3. ____ is an extension of the protocol long used to establish dial-up connections on the Internet, Point-toPoint Protocol (PPP). Answer: L2TP 4. _____ is a public key encryption system used to provide secure communications over the World Wide Web. Answer: SSL Enabling Remote Access Connections within VPNs 1. If users in disparate locations need to connect to the home office via a VPN, you need to set up a remote access connection. A VPN is a good way to secure communications with users who need to connect remotely by both dialing into their ISP and establishing a connection to the corporate network or by using their existing cable modem or DSL connection to the Internet to initiate the VPN connection to the corporate network. To enable a remote user to connect with a VPN, you need to issue that user VPN client software. You should also make sure the user’s computer is equipped with anti-virus software and a firewall. Configuring the Server 1. One step in setting up a client-to-server VPN is configuring the server to accept incoming connections. If you use a firewall-based VPN, you need to identify the client computer. Check Point FireWall-1, for instance, calls this process defining a network object. 2. The major operating systems include their own ways of providing secure remote access. In Linux, you use the IP Masquerade feature built into the Linux kernel to share a remote access connection. A part of IP Masquerade, called VPN Masquerade, enables remote users to connect to the Linux-based firewall using either PPTP or IPSec. 3. Windows XP and 2000 include a Network Connections Wizard that makes it particularly easy to set up a workstation to accept incoming VPN connections, with one limitation: the Remote Access Server that is used to provide the connection has the ability to permit only one incoming connection at a time. Configuring Clients 1. After you set up the server, you then need to configure each client that wants to use the VPN. This either involves installing and configuring VPN client software or, in the case of a Windows-to-Windows network, using the Network Connection Wizard. FireWall-1 uses client software called SecuRemote that, when installed on a client computer, enables connections to another host or network via a VPN. VPN Best Practices 1. The successful operation of a VPN depends not only on its hardware and software components and overall configuration, but also on a number of other best practices. These include security policy rules that specifically apply to the VPN, the integration of firewall packet filtering with VPN traffic, and auditing the VPN to make sure it is performing acceptably. The Need for a VPN Policy 1. In a corporate setting, the VPN is likely to be used by many different workers in many different locations. A VPN policy is essential for identifying who can use the VPN and for ensuring that all users know what constitutes proper use of the VPN. This can be a separate stand-alone policy, or it may be a clause within a larger security policy. Packet Filtering and VPNs 1. When configuring a VPN, you must decide early on where encryption and decryption of data will be performed in relation to packet filtering. You can either decide to do encryption and decryption outside the packet-filtering perimeter or inside it. Auditing and Testing the VPN 1. After the VPN is installed, you need to test the VPN client on each computer that might use the VPN. In an organization with many different workstations, this can be a time-consuming prospect. There is no easy way around this, but you can choose client software (which is installed as part of the test) that is easy for end users to install on their own to save you time and effort. 2. To give you an idea of how testing of a VPN client might work, consider the following step-by-step scenario: You issue VPN client software and a certificate to the remote user. You call the remote user on the phone and lead him or her through the process of installing the software and storing the certificate. If you are using IPSec, you verify with the remote user that the IPSec policies are the same on both the remote user’s machine and on your VPN gateway. You tell the user to start up the VPN software and connect to your gateway. (Hopefully, you’ll be able to remain on the phone while the end user connects, but, if the remote user has only one telephone line and a dial-up connection to the Internet, you may have to communicate by e-mail.) If there are any problems connecting to the gateway, tell the remote user to write down or report the error message exactly to help you correctly diagnose the problem. After the connection is established, the remote user should authenticate by entering his or her username and password when prompted to do so. Quick Quiz 1. Having two connections on the same line is known as _____. Answer: split tunneling 2. What is the type of encryption that is used when packets are encrypted at the host as soon as they are generated? Answer: Transport 3. Incoming PPTP connections arrive on TCP port ____. Answer: 1723 4. One step in setting up a client-to-server VPN is configuring the _____ to accept incoming connections. Answer: server 5. In Linux, you use the IP _____ feature built into the Linux kernel to share a remote access connection. Answer: Masquerade Class Discussion Topics 1. Discuss the benefits and risks of using VPN. 2. Discuss the considerations that affect the choice of using hardware or software to provide a VPN. 3. Discuss the elements of a VPN policy and how it fits into an overall security policy. Additional Case Projects 1. You have been asked to write up a guide to be used when testing new client installations. What steps would you include in this guide? How would you handle different client hardware and software configurations? 2. You have been asked to set up a VPN for a medium-size company that wishes to have office workers telecommute. The company asks for recommendations regarding using hardware or software to support the VPN, what type of configuration is required, and what the requirements of client machines should be. Make some recommendations and explain why you chose those options. 3. You are writing a VPN policy for a large company with offices overseas. What elements will you include in the policy? Further Readings or Resources There’s a Web site devoted solely to the subject of finding VPN hardware and software and providing reviews of different products. Visit Find VPN at http://findvpn.com/providers/vpnware.cfm. SANS provides a sample VPN Policy in PDF format at www.sans.org/newlook/resources/policies/Virtual_Private_Network.pdf.