VPN Introduction and Scenarios

8/2/2019 VPN Introduction and Scenarios

1/82

Virtual Private Network (VPN)

N. Ganesan, Ph.D.


2/82

Chapter Objectives


3/82

Chapter Modules


4/82

Primary Reference

VPN Overview by Microsoft


5/82

VPN

A virtual private network that isestablished over, in general, the Internet

It is virtual because it exists as a virtualentity within a public network

It is private because it is confined to aset of private users


6/82

Why is it a Virtual Private Network?

From the users perspective, it appearsas a network consisting of dedicated

network links

These links appear as if they arereserved for the VPN clientele

Because of encryption, the networkappears to be private


7/82

Example of a VPN


8/82

VPN Major Characteristics

Must emulate a point-to-point link

Done by encapsulating the data that would

facilitate allow it to travel the Internet toreach the end point

Must emulate a private link

Done by encrypting the data in the datapackets


9/82

Typical VPN Connection


10/82

Tunnel and Connections

Tunnel

The portion of the network where the data

is encapsulated

Connection

The portion of the network where the data

is encrypted


11/82

Application Areas

In general, provide users withconnection to the corporate network

regardless of their location

The alternative of using truly dedicatedlines for a private network are

expensive propositions


12/82

Some Common Uses of VPN

Provide users with secured remote accessover the Internet to corporate resources

Connect two computer networks securelyover the Internet

Example: Connect a branch office network to thenetwork in the head office

Secure part of a corporate network forsecurity and confidentiality purpose


13/82

Remote Access Over the Internet


14/82

Connecting Two Computer Networks

Securely


15/82

Securing a Part of the Corporate

Network


16/82

Basic VPN Requirements

User Authentication

Address Management

Data Encryption

Key Management

Multi-protocol Support


17/82

User Authentication

VPN must be able to verify userauthentication and allow only

authorized users to access the network


18/82

Address Management

Assign addresses to clients and ensurethat private addresses are kept private

on the VPN


19/82

Data Encryption

Encrypt and decrypt the data to ensurethat others on the not have access to the

data


20/82

Key Management

Keys must be generated and refreshedfor encryption at the server and the

client Note that keys are required for

encryption


21/82

Multi-protocol Support

The VPN technology must supportcommons protocols on the Internet such

as IP, IPX etc.


22/82

VPN Implementation Protocols

Point-to-Point Tunneling Protocol(PPTP) of Layer 2 Tunneling Protocol

(L2TP) IPSec


23/82


24/82

Tunneling


25/82

Point-to-Point Tunneling Protocol

(PPTP)

Encapsulate and encrypt the data to besent over a corporate or public IP

network


26/82

Level 2 Tunneling Protocol

Encrypted and encapsulated to be sentover a communication links that

support user datagram mode oftransmission

Examples of links include X.25, Frame

Relay and ATM


27/82

IPSec Tunnel Mode

Encapsulate and encrypt in an IPheader for transmission over an IP

network


28/82

Layer 2 Tunneling Protocols

PPTP

L2TP

Both encapsulate the payload in a PPPframe


29/82

Layer 3 Tunneling Protocol

IPSec Tunneling Mode

Encapsulates the payload in an additional

IP header


30/82

PPP Format


31/82

PPTP Format


32/82

L2TP Format


33/82

Windows Implementation of VPN

L2TP for tunneling

IPSec for encryption

Known as L2TP/IPSec


34/82

Windows Implementation


35/82

IPSec Tunnel Mode

Supports only IP networks


36/82

Tunnel Types

Voluntary

VPN request is initiated by the client

The client remains the end point Compulsory

VPN access server creates a compulsory tunnel forthe client

In this case, the dial-up access server between theusers computer and the tunnel server is thetunnel end point that acts as a client


37/82

The Choice

Voluntary tunneling is used in mostapplications


38/82

Other Important Protocols in VPN

Microsoft Point-to-Point Encryption(MPPE)

Extensible Authentication Protocol(EAP)

Remote Authentication Dial-in User

Service (RADIUS)


39/82

A Note on RADIUS


40/82

Keys

Symmetric Keys

Asymmetric Keys


41/82

Summary


42/82


43/82

End of Module


44/82

VPN Scenarios

N. Ganesan, Ph.D.


45/82

Chapter Objectives


46/82

Chapter Modules


47/82

Reference


48/82

Some Example Scenarios

VPN remote access for employees.

On-demand branch office access.

Persistent branch office access.

Extranet for business partners.

Dial-up and VPNs with RADIUSauthentication


49/82

VPN Remote Access for Employees


50/82

VPN Remote Access for Employees

h Off


51/82

Router-to-Router Branch Office

Connection

B h Offi C i (R


52/82

Branch Office Connection (Router-

to-Router)


53/82

VPN Based Extranet

Di l d VPNS i h RADIUS


54/82

Dial-up and VPNS with RADIUS

Authentication


55/82

Module

Configuring a VPN Environment


56/82

Test Scenario


57/82

Component Details

A computer running Windows Server 2003,Enterprise Edition, named DC1 that is acting as adomain controller, a Domain Name System (DNS)

server, a Dynamic Host Configuration Protocol(DHCP) server, and a certification authority (CA).

A computer running Windows Server 2003, StandardEdition, named VPN1 that is acting as a VPN server.VPN1 has two network adapters installed.

A computer running Windows Server 2003, StandardEdition, named IAS1 that is acting as a RemoteAuthentication Dial-in User Service (RADIUS) server.


58/82

Component Details Cont.

A computer running Windows Server2003, Standard Edition, named IIS1 that

is acting as a Web and file server. A computer running Windows XP

Professional named CLIENT1 that is

acting as a VPN client.


59/82

Private and Public Networks

Private

172.16.0.0/24

Simulated Public 10.0.0.0/24


60/82

DC1

DC1 is a computer running Windows Server2003, Enterprise Edition that is providing thefollowing services: A domain controller for the example.com Active

Directory domain

.A DNS server for the example.com DNSdomain.

A DHCP server for the intranet network segment The enterprise root certification authority (CA)

for the example.com domain.


61/82

Step 1: Configuring DC1

The first step is to configure thefollowing

Active Directory DNS

DHCP

CA


62/82

Step 2: Configure IAS1

Install Windows Server

Provides RADIUS authentication,

authorization, and accounting for VPN1 Register server in active directory

Configure new remote access policies

Specify authentication method andencryption level


63/82

Step 3: Configure IIS1

Configure this as a web server for webaccess as well as file sharing


64/82

Step 4: Configure VPN1

Install VPN1 as a member server in thedomain

Configure TCP/IP for the Intranet andInternet sides

Configure and enable routing and remoteaccess

Setup the server to work with a RADIUSserver

Setup the DHCP relay agent parameters


65/82

Step 5: Configure Client1

CLIENT1 is a computer runningWindows XP Professional that is acting

as a VPN client and gaining remoteaccess to intranet resources across thesimulated Internet. To configure

CLIENT1 as a VPN client for a PPTPconnection, perform the followingsteps:


66/82

1.Connect CLIENT1 to the intranet networksegment.

2.On CLIENT1, install Windows XP

Professional as a member computer namedCLIENT1 of the example.com domain.

3.Add the VPNUser account in theexample.com domain to the local

Administrators group. 4.Log off and then log on using the VPNUseraccount in the example.com domain.


67/82

5.From Control Panel-Network Connections,obtain properties on the Local Area Network

connection, and then obtain properties on theInternet Protocol (TCP/IP).

6.Click the Alternate Configuration tab, andthen click User configured.

7.In IP address, type 10.0.0.1. In Subnet mask,type 255.255.255.0. This is shown in thefollowing figure.


68/82


69/82

8.Click OK to save changes to the InternetProtocol (TCP/IP). Click OK to save changes

to the Local Area Network connection. 9.Shut down the CLIENT1 computer.

10.Disconnect the CLIENT1 computer fromthe intranet network segment, and connect it

to the simulated Internet network segment.


70/82

11.Restart the CLIENT1 computer and log on usingthe VPNUser account.

12.On CLIENT1, open the Network Connections

folder from Control Panel. 13.In Network Tasks, click Create a new connection.

14.On the Welcome to the New Connection Wizardpage of the New Connection Wizard, click Next.

15.On the Network Connection Type page, clickConnect to the network at my workplace. This isshown in the following figure.


71/82


72/82


73/82


74/82


75/82

19.Click Next. On the ConnectionAvailability page, click Next.

20.On the Completing the NewConnection Wizard page, click Finish.The Connect PPTPtoCorpnet dialog box

is displayed. This is shown in thefollowing figure.


76/82


77/82

21.Click Properties, and then click theNetworking tab.

22.On the Networking tab, in Type ofVPN, click PPTP VPN. This is shown inthe following figure


78/82


79/82

23.Click OK to save changes to thePPTPtoCorpnet connection. The Connect

PPTPtoCorpnet dialog box is displayed. 24.In User name, type example/VPNUser. InPassword, type the password you chose forthe VPNUser account. This is shown in the

following figure.


80/82


81/82

25.Click Connect. 26.When the connection is complete, run Internet

Explorer.

27.If prompted by the Internet Connection Wizard,configure it for a LAN connection. In Address, typehttp://IIS1.example.com/winxp.gif. You should seea Windows XP graphic.

28.Click Start, click Run, type \\IIS1\ROOT, andthen click OK. You should see the contents of theLocal Drive (C:) on IIS1.

29.Right-click the PPTPtoCorpnet connection, andthen click Disconnect.


82/82

End of Chapter

Documents

VPN Introduction and Scenarios