How to Create Virtual Private network

how virtual private network works, how to create virtual private network, and virtual private network advantages and disadvantages virtual private network architecture
Prof.WilliamsHibbs Profile Pic
Prof.WilliamsHibbs,United States,Teacher
Published Date:28-07-2017
Your Website URL(Optional)
Comment
Virtual Private Networks, Second Edition Chapter 1. Why Build a Virtual Private Network? Until now there has always been a clear division between public and private networks. A public network, like the public telephone system and the Internet, is a large collection of unrelated peers that exchange information more or less freely with each other. The people with access to the public network may or may not have anything in common, and any given person on that network may only communicate with a small fraction of his potential users. A private network is composed of computers owned by a single organization that share information specifically with each other. They're assured that they are going to be the only ones using the network, and that information sent between them will (at worst) only be seen by others in the group. The typical corporate Local Area Network (LAN) or Wide Area Network (WAN) is an example of a private network. The line between a private and public network has always been drawn at the gateway router, where a company will erect a firewall to keep intruders from the public network out of their private network, or to keep their own internal users from perusing the public network. There also was a time, not too long ago, when companies could allow their LANs to operate as separate, isolated islands. Each branch office might have its own LAN, with its own naming scheme, email system, and even its own favorite network protocol—none of which might be compatible with other offices' setups. As more company resources moved to computers, however, there came a need for these offices to interconnect. This was traditionally done using leased phone lines of varying speeds. By using leased lines, a company can be assured that the connection is always available, and private. Leased phone lines, however, can be expensive. They're typically billed based upon a flat monthly fee, plus mileage expenses. If a company has offices across the country, this cost can be prohibitive. Private networks also have trouble handling roving users, such as traveling salespeople. If the salesperson doesn't happen to be near one of the corporate computers, he or she has to dial into a corporation's modem long-distance, which is an extremely expensive proposition. This book is about the virtual private network (VPN), a concept that blurs the line between a public and private network. VPNs allow you to create a secure, private network over a public network such as the Internet. They can be created using software, hardware, or a combination of the two that creates a secure link between peers over a public network. This is done through encryption, authentication, packet tunneling, and firewalls. In this chapter we'll go over exactly what is meant by each of these and what roles they play in a VPN; we'll touch upon them again and again throughout the book. Because they skirt leased line costs by using the Internet as a WAN, VPNs are more cost-effective for large companies, and well within the reach of smaller ones. In this chapter, we'll also talk about Intranets as the latest trend in corporate information systems, and how they were the impetus for VPNs. 1.1 What Does a VPN Do? A virtual private network is a way to simulate a private network over a public network, such as the Internet. It is called "virtual" because it depends on the use of virtual connections—that is, temporary connections that have no real physical presence, but consist of packets routed 6 Virtual Private Networks, Second Edition over various machines on the Internet on an ad hoc basis. Secure virtual connections are created between two machines, a machine and a network, or two networks. Using the Internet for remote access saves a lot of money. You'll be able to dial in wherever your Internet service provider (ISP) has a point-of-presence (POP). If you choose an ISP with nationwide POPs, there's a good chance your LAN will be a local phone call away. Some ISPs have expanded internationally as well, or have alliances with ISPs overseas. Even many of the smaller ISPs have toll-free numbers for their roaming users. At the time of this writing, unlimited access dial-up PPP accounts, suitable for business use, are around 25 per month per user. At any rate, well-chosen ISP accounts should be cheaper than setting up a modem pool for remote users and paying the long-distance bill for roaming users. Even toll-free access from an ISP is typically cheaper than having your own toll-free number, because ISPs purchase hours in bulk from the long-distance companies. In many cases, long-haul connections of networks are done with a leased line, a connection to a frame relay network, or ISDN. We've already mentioned the costs of leasing a "high cap" leased line such as a T1. Frame relay lines can also give you high speeds without the mileage charges. You purchase a connection to a frame cloud, which connects you through switches to your destination. Unlike a leased line, the amount you pay is based more on the bandwidth that's committed to your circuit than distance. Frame connections are still somewhat expensive, however. ISDN, like the plain old telephone system, incurs long-distance charges. In many locations, the local telephone company charges per minute even for local calls, which again runs expenses up. For situations where corporate office networks are in separate cities, having each office get a T1, frame relay, or ISDN line to an ISP's local POP would be much cheaper than connecting the two offices using these technologies. A VPN could then be instituted between the routers at the two offices, over the Internet. In addition, a VPN will allow you to consolidate your Internet and WAN connections into a single router and single line, saving you money on equipment and telecommunications infrastructure. 1.1.1 The Rise of Intranets By now you've probably heard of Intranets and the stir they've caused at many businesses. Companies are running TCP/IP networks, posting information to their internal web sites, and using web browsers as a common collaborative tool. An example of an Intranet application is a customer database accessible via the Web. Salespeople could use this database to contact current customers about new product offerings and send them quotes. The database could have a HyperText Mark- Up Language (HTML) front end, so that it would be accessible from any web browser. The rise of Intranets was spurred on by the growth of the Internet and its popular information services, commonly known as the World Wide Web. It was as if the corporate sector had finally caught on to what the Internet community had been doing for years: using simple, platform-independent protocols to communicate more effectively. No matter how much marketing hype you hear, an Intranet is simply Internet technology put to use on a private network. 1.1.1.1 How VPNs relate to Intranets Virtual private networks can be used to expand the reach of an Intranet. Since Intranets are typically used to communicate proprietary information, you don't want them accessible from 7 Virtual Private Networks, Second Edition the Internet. There may be cases, however, where you'll want far-flung offices to share data or remote users to connect to your Intranet, and these users may be using the Internet as their means of connection. A VPN will allow them to connect to the Intranet securely, so there are no fears of sensitive information leaving the network unprotected. You might see this type of connection also referred to as an "Extranet." Using our previous example of the customer database, it's easy to see how a VPN could expand the Intranet application's functionality. Suppose most of your salespeople are on the road, or work from home. There's no reason why they shouldn't be able to use the Internet to access the web server that houses the customer database application. You don't want just anyone to be able to access the information, however, and you're also worried about the information itself flowing unencrypted over the Internet. A VPN can provide a secure link between the salesperson's laptop and the Intranet web server running the database, and encrypt the data going between them. VPNs give you flexibility, and allow practically any corporate network service to be used securely across the Internet. 1.2 Security Risks of the Internet The risks associated with the Internet are advertised every day by the trade and mainstream media. Whether it's someone accessing your credit card numbers, prying into your legal troubles, or erasing your files, there's a new scare every month about the (supposedly) private information someone can find out about you on the Internet. (Not to mention the perceived risk that you might happen upon some information that you find offensive, or that you might not want your children to see.) For corporations, the risks are even more real and apparent. Stolen or deleted corporate data can adversely affect people's livelihoods, and cost the company money. If a small company is robbed of its project files or customer database, it could put them out of business. Since the Internet is a public network, you always risk having someone access any system you connect to it. It used to be that a system intruder would have to dial into your network to crack a system. This meant that they would have to find a phone number connected to a modem bank that would give them access, and risk the possibility of the line being traced. But if your corporate network is connected over the Internet and your security is lax, the system cracker might be able to access your network using any standard dial-up account from any ISP in the world. Even unsophisticated users can obtain and use automated "security check" tools to seek out holes in a company's network. What's worse is that, chances are, you'll never know that it's happening. Before we put our private data out on the Internet, we'd better make sure a VPN is robust enough to protect it. 1.2.1 What Are We Protecting with Our VPN? The first things that come to mind when you think of protection are the files on your networked computers: documents that contain your company's future plans, spreadsheets that detail the financial analysis of a new product introduction, databases of your payroll and tax records, or even a security assessment of your network pointing out holes and problematic machinery. These files are a good starting point, but don't forget about the other, less tangible assets that you connect to the Internet when you go online. These include the services that you 8 Virtual Private Networks, Second Edition grant your employees and customers, the computing resources that are available for use, and even your reputation. For instance, a security failure can cause your vendors' email to bounce back to them, or prevent your users from making connections to other sites. The easiest thing would be to isolate, tabulate, and lock down your private data. Well over half the data you manage and distribute might call for some sort of security. Just think, even something as innocuous as customer records and addresses could be used against you in a negative advertising campaign; this might hurt you far worse than a negative campaign aimed at a random slice of the population. Unfortunately, in the client-server world of telecommuters, field sales agents, and home offices, it's not so easy to keep all private data locked down in a single, protected area. The chief financial officer of a company may need to access financial information on the road, or a programmer working from home may need to access source code. VPNs help alleviate some of the worry of transmitting secure files outside of your network. In Chapter 2, we will examine possible threats to your network and data, and explore the technologies that VPNs use to avoid them. 1.3 How VPNs Solve Internet Security Issues There are several technologies that VPNs use to protect data travelling across the Internet. The most important concepts are firewalls, authentication, encryption, and tunneling. Here we will give them a cursory rundown, then go into more detail in Chapter 2. 1.3.1 Firewalls An Internet firewall serves the same purpose as firewalls in buildings and cars: to protect a certain area from the spread of fire and a potentially catastrophic explosion. The spread of a fire from one part of a building is controlled by putting up retaining walls, which help to contain the damage and minimize the overall loss and exposure. An Internet firewall is no different. It uses such techniques as examining Internet addresses on packets or ports requested on incoming connections to decide what traffic is allowed into a network. Although most VPN packages themselves don't implement firewalls directly, they are an integral part of a VPN. The idea is to use the firewall to keep unwanted visitors from entering your network, while allowing VPN users through. If you don't have a firewall protecting your network, don't bother with a VPN until you get one—you're already exposing yourself to considerable risk. The most common firewall is a packet filtration firewall, which will block specified IP services (run on specific port numbers) from crossing the gateway router. Many routers that support VPN technologies, such as the Cisco Private Internet Exchange (PIX) and the 3Com/U.S. Robotics Total Control, also support packet filtration. Proxies are also a common method of protecting a network while allowing VPN services to enter. Proxy servers are typically a software solution run on top of a network operating system, such as Unix, Windows NT, or Novell Netware. 9 Virtual Private Networks, Second Edition 1.3.2 Authentication Authentication techniques are essential to VPNs, as they ensure the communicating parties that they are exchanging data with the correct user or host. Authentication is analogous to "logging in" to a system with a username and password. VPNs, however, require more stringent authentication methods to validate identities. Most VPN authentication systems are based on a shared key system. The keys are run through a hashing algorithm, which generates a hash value. The other party holding the keys will generate its own hash value and compare it to the one it received from the other end. The hash value sent across the Internet is meaningless to an observer, so someone sniffing the network wouldn't be able to glean a password. The Challenge Handshake Authentication Protocol (CHAP) is a good example of an authentication method that uses this scheme. Another common authentication system is RSA. Authentication is typically performed at the beginning of a session, and then at random during the course of a session to ensure that an impostor didn't "slip into" the conversation. Authentication can also be used to ensure data integrity. The data itself can be sent through a hashing algorithm to derive a value that is included as a checksum on the message. Any deviation in the checksum sent from one peer to the next means the data was corrupted during transmission, or intercepted and modified along the way. 1.3.3 Encryption All VPNs support some type of encryption technology, which essentially packages data into a secure envelope. Encryption is often considered as essential as authentication, for it protects the transported data from packet sniffing. There are two popular encryption techniques employed in VPNs: secret (or private) key encryption and public key encryption. In secret key encryption, there is a shared secret password or passphrase known to all parties that need access to the encrypted information. This single key is used to both encrypt and decrypt the information. The data encryption standard (DES), which the Unix crypt system call uses to encrypt passwords, is an example of a private key encryption method. One problem with using secret key encryption for shared data is that all parties needing access to the encrypted data must know the secret key. While this is fine for a small workgroup of people, it can become unmanageable for a large network. What if one of the people leaves the company? Then you're going to have to revoke the old shared key, institute a new one, and somehow securely notify all the users that it has changed. Public key encryption involves a public key and a private key. You publish your public key to everyone, while only you know your private key. If you want to send someone sensitive data, you encrypt it with a combination of your private key and their public key. When they receive it, they'll decrypt it using your public key and their private key. Depending on the software, public and private keys can be large—too large for anyone to remember. Therefore, they're often stored on the machine of the person using the encryption scheme. Because of this, private keys are typically stored using a secret key encryption method, such as DES, and a password or passphrase you can remember, so that even if someone gets on your system, they won't be able to see what your private key looks like. Pretty Good Privacy (PGP) is a well- known data security program that uses public key encryption; RSA is another public key system that is particularly popular in commercial products. The main disadvantage of public 10 Virtual Private Networks, Second Edition key encryption is that, for an equal amount of data, the encryption process is typically slower than with secret key encryption. VPNs, however, need to encrypt data in real time, rather than storing the data as a file like you would with PGP. Because of this, encrypted streams over a network, such as VPNs, are encrypted using secret key encryption with a key that's good only for that streaming session. The session secret itself (typically smaller than the data) is encrypted using public key encryption and is sent over the link. The secret keys are often negotiated using a key management protocol. The next step for VPNs is secure IP, or IPSec. IPSec is a series of proposals from the IETF outlining a secure IP protocol for IPv4 and IPv6. These extensions would provide encryption at the IP level, rather than at the higher levels that SSL and most VPN packages provide. IPSec creates an open standard for VPNs. Currently, some of the primary VPN contenders use proprietary encryption, or open standards that only a few vendors adhere to. Rather than seeing IPSec as a threat to their current products, most vendors see it as a way to augment their own security, essentially adding another interoperable level to their current tunneling and encryption methods. We'll go into detail about the power, politics, and use of various encryption techniques in Chapter 2. 1.3.4 Tunneling Many VPN packages use tunneling to create a private network, including several that we review in this book: the AltaVista Tunnel, the Point-to-Point Tunneling Protocol (PPTP), the Layer 2 Forwarding Protocol, and IPSec's tunnel mode. VPNs allow you to connect to a remote network over the Internet, which is an IP network. The fact is, though, that many corporate LANs don't exclusively use IP (although the trend is moving in that direction). Networks with Windows NT servers, for instance, might use NetBEUI, while Novell servers use IPX. Tunneling allows you to encapsulate a packet within a packet to accommodate incompatible protocols. The packet within the packet could be of the same protocol or of a completely foreign one. For example, tunneling can be used to send IPX packets over the Internet so that a user can connect to an IPX-only Novell server remotely. With tunneling you can also encapsulate an IP packet within another IP packet. This means you can send packets with arbitrary source and destination addresses across the Internet within a packet that has Internet-routable source and destination addresses. The practical upshot of this is that you can use the reserved (not Internet-routable) IP address space set aside by the Internet Assigned Numbers Authority (IANA) for private networks on your LAN, and still access your hosts across the Internet. We will look at how and why you would do this in later chapters. Other standards that many VPN devices use are X.509 certificates, the Lightweight Directory Access Protocol (LDAP), and RADIUS for authentication. 11 Virtual Private Networks, Second Edition 1.4 VPN Solutions A VPN is a conglomerate of useful technologies that originally were assembled by hand. Now the networking companies and ISPs have realized the value of a VPN and are offering products that do the hard work for you. In addition, there is an assortment of free software available on the Internet (usually for Unix systems) that can be used to create a VPN. In this book, we're going to look at some of the commercial and free solutions in detail. Which one you choose for your network will depend on the resources available to you, the platforms you run, your network topology, the time you wish to spend installing and configuring the software, and whether or not you want commercial-level support. We can't cover every vendor and product in this book; they change too quickly. Instead, we offer guidelines you can use on all networks and details on a few stable products that were available when we were writing this edition—we don't mean to imply that there's anything less valuable about competing products. VPN packages range from software solutions that run on or integrate with a network operating system (such as the AltaVista Tunnel or CheckPoint Firewall-1 on Windows NT or Unix), to hardware routers/firewalls (such as those from Cisco and Ascend), to integrated hardware solutions designed specifically for VPN functions (such as VPNet and the Bay Networks Extranet Switch). Some VPN protocols, like SSH or SSL, gained popularity for performing other functions, but have since become used for VPNs as well. In addition to products, ISPs are also offering VPN services to their customers. The tunneling usually takes place on the ISP's equipment. If both ends of the connection are through the same ISP, that ISP might offer a Service Level Agreement (SLA) guaranteeing a certain maximum amount of latency and uptime. 1.4.1 Quality of Service Issues Running a virtual private network over the Internet raises an easily forgotten issue of reliability. Let's face it: the Internet isn't always the most reliable network, by nature. Tracing a packet from one point to another, you may pass through a half-dozen different networks of varying speeds, reliability, and utilization—each run by a different company. Any one of these networks could cause problems for a VPN. The lack of reliability of the Internet, and the fact that no one entity controls it, makes troubleshooting VPN problems difficult for a network administrator. If a user can't dial into a remote access server at the corporate headquarters, or there's a problem with a leased line connection, the network administrator knows there are a limited number of possibilities for where the problem may occur: the machine or router on the far end, the telecommunications company providing the link, or the machine or router at the corporate headquarters. For a VPN over the Internet, the problem could be with the machine on the far end, with the ISP on the far end, with one of the networks in between, with the corporate headquarters' ISP, or with the machine or router at the corporate headquarters itself. Although a few large ISPs are offering quality of service guarantees with their VPN service (if all parties involved are connected to their network), smaller ISPs can't make such a guarantee—and there will always be times when the network administrator is left to her own resources. This book will help you isolate and identify the problem when something goes wrong on your VPN. 12 Virtual Private Networks, Second Edition 1.5 A Note on IP Address and Domain Name Conventions Used in This Book The notation 1.0.0.0/24 is commonly used in describing IP address ranges. It means "start with the address 1.0.0.0 and allow the right-most 8 bits to vary." The 8 is calculated by using 32 bits (the maximum for an IP address) minus 24 (the size specified after the "/"). So 1.0.0.0/24 means all addresses from 1.0.0.0 to 1.0.0.255. We've elected to use the same IP address ranges and domain name throughout this book. For Internet-routable IP address ranges, we're using the blocks 1.0.0.0-1.255.255.255 (or 1.0.0.0/8) and 2.0.0.0-2.255.255.255 (2.0.0.0/8), which we subnet to suit our needs. These ranges were chosen because they are designated as Internet routable, but are reserved by the IANA and aren't currently being used. We hope that using these ranges, rather than randomly picking some or choosing them from "active" registered networks, will makes examples and figures easier to understand while protecting the innocent. We found that this helped us maintain our own sanity while writing the book. For internal networks, we use the IP ranges set aside in RFC 1918 for use on private networks. These ranges are 10.0.0.0-10.255.255.255 (or 10.0.0.0/8), 172.16.0.0- 172.31.255.255 (or 172.16.0.0/12), and 192.168.0.0-192.168.255.255 (or 192.168.0.0/16). We also subnet these as we deem necessary for an example. The domain name we use for our examples is ora-vpn.com. Within this domain, however, we don't have a hostname convention, because we typically create a hostname to match whatever solution we are writing about in a given chapter. 13 Virtual Private Networks, Second Edition Chapter 2. Basic VPN Technologies This chapter focuses on the background technologies used to build a virtual private network. As we discussed in Chapter 1, there are two competing camps at work when we talk about connecting networks. The first camp places the highest worth on the accessibility of data anywhere the user might be, and anywhere the data might be. The second emphasizes that the protection of the data itself, the content, is most important and must be protected to prevent unauthorized persons from using it. As you can see, these two concepts are not at all mutually exclusive, but more of a yin-yang. As you focus on sharing more and more information so that everyone can get what they need, you must also remain focused on the security of that information so that others will not take advantage of you. Because the Internet is a vast collection of resources, it is clear that sharing your information with other participants can help you prosper. It is not clear, however, at what risk you place yourself when you actually connect. It is our opinion that some companies see the Net as a huge untapped marketplace, full of consumers and advertising opportunities, but don't realize that the Internet has its own version of an "underworld" as well. It is this, above all else, that compels us to protect our data, and where the emergence of the virtual private network presents itself is a stepping stone into the 21st century. The protection of private data is the core of the virtual private network, and the two most relevant technologies (encryption and firewalls) are what make it all possible. In this chapter we will present an overview and background of the technologies used to build a VPN, and how they are incorporated into the products and services covered in this book. We will start with a discussion of how firewall techniques are used to protect an entire network at its gateway routers. Next, we will present you with a general background on encryption: how it is used in a traditional sense, plus how it will be deployed using a VPN. Following this, we will discuss authentication techniques and how they are used in conjunction with the encryption algorithms with VPNs. Also, we will delve into the protocols that have arisen from the growth of the VPN industry. Lastly, we will briefly cover various compromise methodologies that a potential assailant may use to try to gain access to your private network or data. 2.1 Firewall Deployment The first of the security-related technologies that we cover in this book is the firewall. A firewall is a system that stands between your internal network and the world outside. Firewalls have been employed on large public networks for many years and are a great starting place in the development of a security strategy. The reason to start with firewalls is that they are generally placed at the point at which your network interconnects with a public network, like the Internet. Although not a perfect strategy, a firewall is easy to configure; it requires only the modification of one gateway router. Of course, if you have a large, multiply- connected WAN, with many paths to the Internet, then it should be noted that you will need to create a firewall for each interconnection point. The complexity of this process increases dramatically from the single point gateway to the multiple point gateway. 2.1.1 What Is a Firewall? The U.S. Department of Defense, probably the world's authority on data sensitivity and security controls, used a system of confidences defined as security levels to restrict access to 14 Virtual Private Networks, Second Edition classified documents. The criteria for determining how a governmental computer should be protected were detailed in the fabled "Orange Book." It stated that to secure highly sensitive data, one must never connect the computer to an exterior network. This is of course the best firewall strategy that exists, but it is too restrictive to be practical. We know the value of interconnection like the rest of you; we just want you to realize that the best firewall for extremely sensitive materials is to isolate them on a computer without a network connection at all. Firewalls usually serve two main functions for a network administrator. The first is to control which machines an outsider can see and the services on those machines with which he can converse. The second controls what machines on the Internet an internal user can see, as well as what services he can use. A firewall is much like a traffic cop, organizing which paths network traffic can take, and stopping some altogether. Internet firewalls usually do this by inspecting every packet that tranverses the gateway router, which is why they are usually referred to as "packet filtration" systems. Watch out for possible circumvention techniques. The best firewall in the world won't do you a bit of good if there is some backdoor or circumnavigational route the attacker can take. Take care to protect the remote access systems (such as PPP, SLIP, and ARA servers) that allow users to dial directly into your private network. Remember that hackers will try to take these avenues into your site if you allow them. By avoiding the gateway firewalls and all of your cleverly erected traps and pitfalls, a system cracker has only to dial in with a compromised account to gain access to services against which your exterior gateway firewall can't protect. Remember that your firewall is only as strong as its weakest point. No one security package is a comprehensive solution for all of the services your network provides. It is important to conduct an ongoing audit of your access policies and police your site regularly in concert with researching vulnerabilities as they become discovered. For this chapter, we will use our large branch network as an example. We will further assume that we have a Cisco 2500 series router and 40 workstations. Of the 40 computers, three are servers: one FTP server, one mail server, and one web server. We have a full class C address (2.48.29.0/24) allocated to us from the NIC (Network Information Center); we will be presenting examples throughout this section on how to set up different firewall topologies using our 40 machines and the network provided earlier. Figure 2-1 illustrates what the firewall will be doing in a basic sense for both our large branch as well as our main corporate network (at the top). 15 Virtual Private Networks, Second Edition Figure 2-1. A typical firewall 2.1.2 What Types of Firewalls Are There? Since almost all firewalling techniques are designed around a similar model, a centralized point of control, there are only a few variations at the top level that need to be explored. You are probably already familiar with the packet filtration firewall; most people are these days, given the recent attention paid to it by the news media. In this section we will discuss the operation and configuration of four architectures of firewall design. There are many variations of the four that you may have seen implemented, and certainly we are omitting several of the most complex and advanced architectures. But we hope to familiarize you with what a firewall is, how it works, how to set one up, and, most relevant to this book, how it fits into the world of the virtual private network. 2.1.2.1 Packet restriction or packet filtering routers Routers and computers that conduct packet filtration choose to send traffic to a network based on a predefined table of rules. The router does not make decisions based on what's inside the packet's payload, but rather on where it is coming from and where it is destined. It only considers that if the packet matches a set of parameters, it should take appropriate action to either allow or deny the transit. These allow and deny tables are set up to conform to the 16 Virtual Private Networks, Second Edition overall network security policies put in place by the network administrator or security coordinator. A peek into the operation of a packet filter shows us that the router never even looks at any of the packet's payload, but only at the TCP/IP header information, to make its screening decisions. Thus, as shown in Figure 2-2, if a router were asked to allow all traffic from network 1.34.21.0/24, it would check all packets for a matching source address and pass them across. Should a packet be received from another network, the filter would disallow the transit, and the packet would be thrown away. So, in essence, this is how the entire operation of this firewall affords security to the site. Figure 2-2. A packet filtration router filter Packet filtering can take on two basic forms. First is an open network with selective filtering of unwanted traffic. For each type of network attack, an appropriate filter must be put in place on the router. Second is the closed network with selective filtering of desired traffic. Although affording greater security, even for those attacks that haven't been thought of yet, the drawback for the network administrator is having to update the firewall as new computers or services are added or changed. As you can guess, a packet filter suffers from several inadequacies. First off, there's no way to do user authentication; either a peer pair is allowed, or it's not. For example, either machine 1.34.21.44 can pass mail traffic (ports 25 and 110) to our mail server on our large network (2.48.29.4), or it can't. There's no provision for who is trying to send the mail. Shouldn't it be possible for Bob, one of our employees who is visiting the ZZZ Cyber Coffee Shop (the owners of network 1.34.21.44), to be able to check his email and have a coffee? 17 Virtual Private Networks, Second Edition Further, be glad for performance reasons that the router doesn't actually open all the packets it gets. Routers these days are asked to perform miracles, especially with the race for more and more bandwidth. The router's job is to decide where to send the traffic, not really to catch and throw away packets that are security risks. What we're suggesting, of course, is that there will be a marked change in what gateway networks will look like in the future. We believe that there will be a decoupling of routing equipment and packet filtration (or even security equipment, for that matter) in the very near term. Actually, this may already be the case. New products are already coming out that support dynamic authentication through a packet filtering router directly to the user level, even across an encrypted link. A last impediment is that frequent changes to the network may require wholesale reconfiguration of the gateway router and the packet filtration firewall that lives on it. This can be time-consuming and disaster-prone if either an uncaught mistake leaves most of the network wide open, or a subtle change leaves the router crippled and unable to perform its first duty as a network traffic director. 2.1.2.2 Bastion host A bastion host or screening host, as it is sometimes called, uses both a packet filtering mechanism provided by the router plus a secured host. A secured host is one that has had its operating system and major services combed over by a security expert. The primary security is provided by a packet filtering router, and the secured host is used to stage information flow in either direction. The bastion host is a security-checked machine that is connected to the Internet with the same method as other machines. The gateway allows traffic to pass to it in a less restricted fashion. Bastion hosts are typically used in combination with filtering routers because simple packet filtration systems can't filter on the protocol or the application layer. (See Figure 2-3 for a sample configuration.) 18 Virtual Private Networks, Second Edition Figure 2-3. A bastion host firewall A bastion host is much easier to configure than a distributed server and tons easier to maintain, because the bulk of the traffic is being sent to one system. Since the bastion host is situated on the internal wire, it needs no special exemptions from other locally connected equipment. The site's security policy will dictate what needs to be configured on the packet filtering router, which will be as restrictive as necessary. It's not uncommon at all for an administrator to use a combination of strategies, employing both the packet filtering router and a bastion host.One of the great things about the configuration of a bastion host for security measures is that configuration of the packet filter becomes a generic "deny everything" statement, preceded by some very specific allow statements that pertain only to the bastion host. For large and quickly changing networks, you can see that this reduces the load of the security personnel. Adding new machines or having users install poorly secured equipment does not affect the firewall or the protection afforded by the bastion host. Of course, having a centralized point of control does have its disadvantages. For one, a large, busy network would need several machines acting as bastion hosts (making the administration of them more time-consuming), or even better, a perimeter network of bastion hosts might be required (see the next section). Each machine needs its own section in the packet filtration firewall, piling on complexity, and with each machine comes the headache of having to test and double test it for purity. Along with the need for multiple hosts to prevent network congestion, the centralization of information at the bastion will tend to draw attack attention there, making it ever more important to secure and monitor it around the clock. It should go 19 Virtual Private Networks, Second Edition without saying that a major drawback to this type of firewall configuration is that it can lead to a tragic security hazard should an assailant get system operator privileges on the bastion host. Thus, a single point of control equals a single point of failure. 2.1.2.3 DMZ or perimeter zone network A popular ploy to separate large corporate internal networks from the hostile environment of the Net is to erect a "routing network" on which all inbound and outbound traffic must travel. Huge installations normally have such networks already set up so that they can effectively separate the local traffic from the metropolitan traffic from the wide-area or worldwide traffic. As you might have guessed, a routing network consists of only routers, including those both internally and externally connected, and usually goes by the term "backbone." A sample configuration is shown in Figure 2-4. Figure 2-4. A perimeter zone firewall example 20 Virtual Private Networks, Second Edition You might be wondering why the term DMZ is sometimes used interchangeably for a perimeter zone network. DMZ stands for "demilitarized zone" and serves the same purpose as it does in areas of geographical conflict: it's a buffer zone between two hostile parties that must coexist in close proximity. In creating a perimeter zone network, the added security you get is multifold. First, there are at least two routers involved in protecting your internal network. One router sits as the gateway to the Internet, and one sits as the gateway to your internal network. The network the two routers share should not have any other host equipment on it other than routing equipment and trusted host equipment (used as a bastion host, detailed earlier). The second security feature inherent in the DMZ architecture involves a security breach at the outside perimeter router level or at any host on the perimeter network; intruders can sniff only packets transiting through, and nothing else. To gain access to the internal network, they would then have to crack the internal perimeter router, which should dishearten them enough to make them disappear. Plus, a VPN solution from the internal network would almost certainly involve encrypting packets, further complicating a compromise attempt. In a standard perimeter zone construction, the most complex and careful controls are placed on the internal router, which is the one that separates the internal network from both the perimeter network and the external network. It is a very common practice to erect the DMZ network in this fashion, because this configuration can be likened to tiers of concentric circles—each one further out provides less security. Also, it is becoming common practice to use Network Address Translation (NAT) at the internal router to further complicate locating and hijacking internal communications. NAT provides security by translating non-routable addresses (like the 192.168.0.0 range) into real Internet addresses in a dynamic fashion. There is no easy way to exchange traffic with internal hosts except by circumventing the machine doing the NAT translation. The tightest security you can make with a DMZ would be to disallow all traffic outbound from the internal network from the exterior router, and to disallow all traffic inbound to the internal network from the Internet. In essence, this makes all traffic a two-step process. Clients on the Internet can peer only with machines that are located on your perimeter network, and clients that are deep inside the internal network can't see the Internet directly; they too need to use a middleman through a bastion host on the DMZ. You can see why this can really ruin an attacker's day. As we stated earlier, most acts of compromise are done by convenience. The harder you make it for the snoops to snoop, the harder you make it for them even to assess the steps required in their warfare, and the more difficult you make their ultimate goal, the faster they are going to evaporate. 2.1.2.4 Proxy servers Proxies act much like bastion hosts, and in some firewall texts, the two overlap almost completely. We use the term "bastion host" to refer to a computer that acts as a staging area for information that is in transit either to or from the Internet. We use the term "proxy server" to refer to a type of bastion host that is running specialized software that masquerades as an internal machine to an external one. In the following example, we contrast a typical bastion host and typical proxy server. A good illustration of an application for a bastion host is email. A bastion host is typically set up to act as the "delivery point" for email inbound from the Internet. Hence a DNS mail 21 Virtual Private Networks, Second Edition exchanger record (MX) is traditionally set up to point traffic to the bastion for delivery. From there, the bastion may re-deliver the mail to an interior mail host (which it can see due to its position in the firewall), or it could hold onto the mail, waiting for the client to read it with a POP mail client. A whole selection of different firewalls can be constructed in this manner. By contrast, a proxy service is more of an "in-transit" checkpoint than an information staging area. The proxy pretends to be one end of a connection, but protects the true sender or recipient from unwanted traffic. The service that presents the greatest trouble to a security manager's life is the standard file transfer protocol (FTP). It's insecure because it uses random, high-numbered ports to establish a peer-to-peer session with the client. Having a service that operates on more than one port, and especially one that operates on most any port greater than 1023, provides a real nightmare to the security administrator. To address this, a "passive" FTP session can be established (using the control and data ports 20 and 21 for actual data transit rather than one greater than 1023), but not all clients support it. Using a proxy, as shown in Figure 2-5, is another option for establishing FTP across a firewall. After you set up a host machine on a perimeter network that acts for the client, which is located on the internal network, a full connection can be made with little security to give up. The FTP proxy lives on the perimeter network and is granted access through the exterior firewall to conduct FTP sessions. Special software must be installed on the proxy so that it can accept incoming requests from an FTP client beyond the interior gateway and masquerade as the client in talking to the outside world. 22 Virtual Private Networks, Second Edition Figure 2-5. A proxy server used as a firewall The same security model using proxy servers can be tooled using a dynamic firewall filtration router such as the Cisco PIX or the Firewall-1 system. A more complete description of the PIX's abilities can be found in Chapter 9. Because a proxy service is more like a host computer than any sort of firewall, special care must be given to ensure that the proxy server is well protected by the site's security policy. Plus, it is important to note that a proxy service is an additional measure of protection and certainly should not be considered a total solution. The shield of a packet filtration firewall can help keep things segregated, and/or the network can be segmented in different subnets, isolating high-risk units from low-risk ones. 23 Virtual Private Networks, Second Edition 2.1.3 Use of Firewalling in a VPN The importance of firewalling to a virtual private network is straightforward and to the point. Since a VPN is an interconnection of two or more disconnected networks utilizing public resources (such as the Internet) for transit, it follows that these networks individually must be protected in and of themselves. Imagine each network that needs to be placed in a VPN as a separate bubble, with its own connections and users. Viewed this way, each separate bubble needs a protective wall around it to make it safe from invasion. The concept behind using firewalls with a VPN is to secure the networks as if they were isolated; then the system administrator opens specific ports in the packet filtering router to allow the encrypted data to stream from one bubble to the next. Thus, a private and secure communication (based on the type and implementation of the cryptographic routines used) is set up in a channel between two sites. The VPN software provides the security and the application layer routing, so that the networks in question will appear to be as one when presented to users at either end. Firewall techniques are the first line of protection in the fabric of a VPN, and they must be developed and tested before the benefits of the VPN can be fully harvested. Even if the VPN software or hardware you deploy has built-in firewalling that seems to be everything you would ever need, chances are that you will need to follow some security guidelines on your network anyway, just to stay on the safe side. 2.2 Encryption and Authentication The configuration and deployment of a virtual private network obviously involves more than just a packet filtration router. Otherwise, all you would have is a smoked glass window hiding your data from the rest of the world. The real concept of this book, and that of the VPN, is the secure communication between two distinct networks over a public medium, done in such a way that they seem to be sharing a LAN from either end. Thus far, our discussion of firewalling techniques only covers half of the equation. Firewalls either allow or deny traffic based on the source and destination, but once the traffic makes it into your network, the disciplines of authentication and encryption add further protection by securing the conversation. Encryption can be regarded as a method for altering data into a form that is unusable by anyone other than the intended recipient, who has the means necessary to decrypt it. The input to an encryption algorithm is typically called clear text, while the output is referred to as ciphertext or crypt text. The encryption process protects the data by making the assailant work too hard or too long to get at what's being hidden. As we will discover, cryptographic routines use mathematics to alter the data in such a way that the process is difficult and expensive to reverse. As with all things, there are sometimes several ways to peel a banana. Another important topic that we will discuss in this section—a topic that is closely linked with cryptography—is the art and science of authentication. Where encryption and cryptography deal with the conversion of data into a protected form for transmission to a trusted party in a hostile environment, authentication is the identity checking and confirmation of that entity, which guarantees their claim with a great degree of certainty. The notion of authentication is very important to the concepts employed by creating a VPN. Without knowing with certainty the identity of a participant, how could you entrust a data communication channel to them? It 24

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.