View
221
Download
0
Category
Preview:
Citation preview
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
1/22
Virtual Private Network Access
for Remote Clients
5BCS Session 10
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
2/22
Objectives
Understanding VPN Concepts
Planning VPN Access
NAP Integration Configuring VPN Client Access
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
3/22
Understanding VPN Concepts VPNs are encrypted tunnels to a remote server
which routes the traffic into a remote network.
VPN connections are used to provide secure accessto a remote network through the publicinfrastructure of the internet.
A common misconception is that VPN tunnelsprovide unrestricted access to a remote network.
TMG traffic policies allows administrators to controltraffic to and from the VPN clients network.
Because VPN tunnels are intended to be secure andtrusted, they must provide strong encryption and
authentication methods. Additionally, they must employ tunnel managementto control the traffic flow through the tunnel.
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
4/22
What is a VPN?
TMG
Branch Office
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
5/22
Tunnel Types
In general, VPN tunnels fall into two operationalmodes: transport and tunnel. The primary differencebetween the modes is the way each is used:
Transport mode This mode operates in the context ofthe two endpoints only;
It cannot be used to route traffic between two remotenetworks. This is the mode generally used for remoteaccess between individual users and the office.
Tunnel mode This mode is intended to provide routingbetween two networks
This operational mode is typically used for site-to-siteVPN connections, where disjoint networks need tocommunicate. In this
mode, the non-VPN hosts in each network must usetheir VPN endpoint as a route to
the remote end of the tunnel if they are tocommunicate with each other.
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
6/22
ProtocolsSSTP L2TP/IPsec PPTP
Encapsulation PPP over HTTP
over TCP over SSL
IPsec GRE
Site -to-site
Capable
No Yes Yes
Encryption SSL with RC4
or AES
IPsec ESP with (3DES) or
(AES)
MPPE with RC4
Tunnelmaintenance
protocol
SSTP L2TP PPTP
NAT Traversal Native NAT
or Web proxy
IPsec NAT-T NAT editor on
the firewall
User
authentication
After the SSL session
is established
After the IPsec
encryption occurs
Before PPTP
encryption
Certificates
Server
Server certificate on
VPN server, root CA
certificate on VPN
client
Computer certificates
on
both the client and
server or pre-shared
keys
None
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
7/22
VPN Authentication Protocol
OptionsAuthentication
protocolConsiderations
PAPUses plaintext passwords and is the least secureauthentication protocol
SPAPUses a reversible encryption mechanism employed
by Shiva
CHAP
Requires passwords stored by using reversibleencryptionCompatible with Macintosh and UNIX-based clientsData cannot be encrypted
MS-CHAP
Does not require that passwords be stored by using
reversible encryptionEncrypts data
MS-CHAPv2Performs mutual authenticationData is encrypted by using separate session keys fortransmitted and received data
EAP-TLSMost secure remote authentication protocolEnables multifactor authentication
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
8/22
Planning VPN Access
Confidentiality Select the most
appropriate VPN protocol to use to
encrypt VPN traffic end to end.
Integrity Select the most appropriate
authentication protocol and allow
access to VPN resources based upon an
endpoint integrity health check.
Availability Make the resources
available to the users.
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
9/22
Planning VPN Access
OS Decide which OS you want to support
SSTP L2TP/IPsec PPTP
Windows Window Vista/7
Only
All All
Linux No Yes Yes (PPTP client
app)
Mac No Yes Yes (PPTP clientapp)
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
10/22
Planning VPN AccessSecurity
Which protocol is more secure? Which protocol is better foryour network? PPTP provides the essential security required for most networks
and is compatible with most of the platforms. The overall cost toimplement PPTP is lower as it doesnt require certificates or otherspecial settings
How ever the availability of using this protocol in a variety of
remote locations is an issue. Some locations dont allow outboundaccess for PPTP. They only allow HTTP and HTTPS outbound.
LT2P/IPsec offers the highest level of security, dataconfidentiality and integrity and origin authentication but has ahigher cost. You will need to deploy certificates. You will need additional
planning to support the Public Key Infrastructure (PKI) required toimplement IPsec.
SSTP provides the highest level of availability in remotelocations because it uses only HTTPS. But because it is thenewest VPN protocol, it has the lowest level of compatibilitywith older operating systems.
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
11/22
Planning VPN Access
Performance
IPsec is much more CPU-intensive than PPTP,which means that the same Forefront TMG VPNserver will consume more resources using L2TPthan PPTP or SSTP.
Authentication
You need to define whether you will use yourcurrent Active Directory infrastructure toauthenticate remote users or if you want to use a
separate entity (Remote Authentication Dial-InUser Service or RADIUS) protocol to handleauthentication
The general guideline is to provide the end userwith the smoothest experience, but with the most
secure access control.
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
12/22
Planning VPN Access
VPN Access Policy Administrative Controls Requirements that the user must
satisfy to be eligible for:
1. Does your job require remote access?
2. How often do you work from home?
3. Do you use one companys asset (e.g. laptop) to access VPNremotely?
4. What resources do you need to access remotely?
5. Can these resources be accessed via other means (such as Web
Publishing or Server Publishing)?
Technical Controls Use Forefront TMG firewall policy to
allow users to have access only to the resources that theyneed. Use the principle of least privilege.
Another technology that can be included as a technical control is
Network Access Protection (NAP). With NAP you can do endpoint
protection by evaluating the health of the clients workstation and
verify whether the client satisfies the minimum requirements to gain
VPN access.
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
13/22
NAP Integration
Windows Server 2008
Network Access
Protection (NAP) enforces
compliance with
computer health
requirements for networkaccess. TMG integrates
with that by acting as a
VPN server.
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
14/22
VPN Client Access Configuration
Options
Click the
Virtual
Private
Networks(VPN) node
to access the
VPN client
access
configurationoptions
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
15/22
Enable and Configure VPN Client
Access
Use user mapping is to apply firewall policies to users who do not
use Windows authentication
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
16/22
Default VPN Client Access
Configuration
Component Default Configuration
System policy rulesSystem policy rule that allows the use ofPPTP, L2TP, or both is enabled
VPN access network
TMG will listen for VPN client connections
only on the External network
VPN protocols Only PPTP is enabled for VPN client access
Network rules
A route relationship between the VPN Clientsnetwork and the Internal network
A NAT relationship between the VPN Clientsnetwork and the External network
Firewall access rules No firewall access rules are enabled
Remote access policyDefault policy requires MS-CHAPv2 authentication
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
17/22
How to Configure VPN Address
Assignment
Configure static IP
address
assignment or DHCP
Configure DNS and WINS
servers
using DHCP or manually
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
18/22
How to Configure VPN
Authentication
Configure EAP for
additional security
Configure less secure
options only if required
for client compatibility
Accept default for
secure authentication
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
19/22
How to Configure Authentication
Using RADIUS
Enable RADIUS forauthentication
and accounting, and then
configure a RADIUS server
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
20/22
How to Configure User Accounts
for VPN Access
Configure dial-in and
VPN access permissions
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
21/22
How to Configure VPN
Connections from a Client
7/31/2019 5NSA Session 11 VPN for Remote Clients 12101501
22/22
Practice: Configuring VPN Access
for Remote Clients
Configuring VPN access on TMG
Configuring user account
dial-in permissions
Configuring and testing a VPN
client configuration
Internet
TMG
DC
Mobile Client
Recommended