Embed Size (px)
Citation preview
Campus VPN service
Trevor GroveCSCF
March 4, 2011
Overview
• The VPN project• What is a VPN and why do I want it (what’s it
good for)?• What do we have?• How do I use it?• Technical stuff• Questions
The VPN project
• The team:– Steve Carr (IST-Client Services) – Trevor Grove (CSCF) – Mike Patterson (IST-IT Security) – Jason Testart (IST)– Shawn Winnington-Ball (IST-CSS Unix) – Hong Zheng (IST-CSS Windows)
• And community testers• Summer/Fall 2010; P.O. issued December
The “what” and “why”
• VPN: Virtual Private Network– Google “define: vpn”– “tunnels”, “connect to a workplace”, “private
connection”, etc.– Using the public Internet to securely connect a
remote computer to the uWaterloo network– Make the remote computer appear as if it were
physically connected on campus
Why? (What does it do?)
• Off-campus computers are subject to network restrictions:– Campus border policies, e.g. Windows file sharing– “uWaterloo-only” websites & resources– Campus “interior” addresses (172.16/12)– ISP restrictions (message sizes, protocol ports)
• A VPN connection bypasses these, and makes the client look like it is on campus
• Improved telecommuting is a key component to the campus pandemic plan
Why, 2
• VPN connections are encrypted end-to-end– Like https, but for everything: email, file-sharing, web-
browsing, remote desktop– Uses same technology as web “ssl”
• Provides the basis for improved campus border security– Restrict protocols at the desktop to uWaterloo– Restrict protocols at the border
• “I mostly use it to avoid setting up a myriad of SSH tunnels to places that we lock down to campus subnets, or are in the 172.16/12 space”
Product selection
• Four products investigated:– OpenVPN (hardware costs, no software costs, per-
client cost per year)– Microsoft ForefrontUAG (hardware & software costs ,
no per-client cost)– Juniper SSL VPN Appliance (server costs, per-client
cost)– Cisco ASA (server costs, per-client costs)
• Shortlisted Juniper & Cisco; equivalent functionality, Cisco price advantage
So what do we have?
• Cisco ASA “(Adaptive Security Appliance”) servers – Specifically, a pair of ASA 5400s, configured in High
Availability mode• Licenced for 1,000 simultaneous users (unlimited
client installations)– Intended audience: staff, faculty, grad employees
• Classified as an “ssl vpn”, uses standard https port– No problems with firewalls needing to allow PPTP or
GRE
How do I use it? Getting started…
• https://cn-vpn.uwaterloo.ca
Getting started, 2
Getting started, 3
• Use AnyConnect to “plug in” on campus:
Getting started, 4
Getting started, 5
• Internet Explorer => Tools => Internet Options => Security
Getting started, 6
Getting started, 7
…annoying Windows “User Account Control” prompt…
…possible warnings about“ActiveX installation”…
Getting started, 8
After client installation
WatIAM credentials
Ending a session
• Use task-bar notification icon (lower right)
Client platforms
• Tested under WinXP, Vista, Win7; Mac OSX; Linux Ubuntu 10.04– For platforms with no ActiveX technology, will need
to download installer package and run– Mac OSX seems to be straightforward– Ubuntu slightly complex installation process:
• Download installer package & script• Run installer script from commandline
• Tested with Internet Explorer 6+, Firefox 3+, Chrome, Safari
How does it work?
• Before the VPN connection:
InternetISPDestination net:
129.97/16172.16/12
PC with NICaddress 1.2.3.4
potential connectionimpediments
How does it work, 2
• After the VPN connection:
PC with NICaddress 1.2.3.4
VPN clientassigned address
172.16.36/22
Client routes campus addresses
via VPN
InternetISPDestination net:
129.97/16172.16/12
VPN Server:route
172.16.36/22 to
campus nets
Technical details
• Installs a network pseudo-device on the client• Client connects to server, receives a VPN tunnel IP address in
172.16.36/22Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : uwaterloo.ca Description . . . . . . . . . . . : Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 Physical Address. . . . . . . . . : 00-05-9A-3C-7A-00 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes … IPv4 Address. . . . . . . . . . . : 172.16.36.18(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.252.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : 129.97.2.1 129.97.129.10 …
Technical details, 2
• Client routes uWaterloo traffic through the tunnel, other traffic as usual:IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 129.97.15.1 129.97.15.204 266 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 129.97.0.0 255.255.0.0 On-link 172.16.36.18 2 129.97.2.197 255.255.255.255 129.97.15.1 129.97.15.204 11 129.97.15.204 255.255.255.255 On-link 129.97.15.204 266 129.97.255.255 255.255.255.255 On-link 172.16.36.18 257 172.16.0.0 255.240.0.0 On-link 172.16.36.18 2 172.16.36.0 255.255.252.0 On-link 172.16.36.18 257 172.16.36.18 255.255.255.255 On-link 172.16.36.18 257 172.16.39.255 255.255.255.255 On-link 172.16.36.18 257 172.31.255.255 255.255.255.255 On-link 172.16.36.18 257... 255.255.255.255 255.255.255.255 On-link 129.97.15.204 266 255.255.255.255 255.255.255.255 On-link 172.16.36.18 257
Technical details, 3
• Fewer hops via VPN:– With VPN:
C:\Users\trg\Desktop>tracert www.uwaterloo.caTracing route to info.uwaterloo.ca [129.97.128.40] …: 1 8 ms 58 ms 6 ms v602-cr-rt-phy.uwaterloo.ca [172.16.31.194] 2 6 ms 4 ms 4 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 3 7 ms 4 ms 5 ms info.uwaterloo.ca [129.97.128.40]Trace complete.
– Without VPN: 1 12 ms 1 ms 1 ms dccore-nsfw02-cscfnet.uwaterloo.ca [129.97.15.1] 2 4 ms 4 ms 4 ms dc-cs2-csfwnet.uwaterloo.ca [172.19.5.1] 3 5 ms 4 ms 5 ms dc-cs1-trk1.uwaterloo.ca [172.19.1.18] 4 3 ms 2 ms * v720-cn-rt-phy.uwaterloo.ca [129.97.1.77] 5 5 ms 4 ms 4 ms v1133-cr-rt-phy.uwaterloo.ca [172.16.31.14] 6 4 ms 2 ms 2 ms re1-0-cr-sa.uwaterloo.ca [172.16.31.75] 7 3 ms 4 ms 3 ms info.uwaterloo.ca [129.97.128.40]
Trace complete.
Technical details, 4
• VPN will not forward non-uWaterloo traffic to off-campus– Relies on client to route uWaterloo traffic via the
VPN, other traffic as usual• Session idle timeout (automatic disconnect) of
30 minutes– But be aware of background processes
Questions?
