Restrict What VPN Users Can Get To
10.4.3 Avoid Public DNS Information for VPN Servers and Routers
Since your VPN server will be an accessible entry point to your network, its better not to let attackers know what it is or what it does. The simplest thing to do is not assign a DNS hostname to your VPN server at all. If you must assign one for internal use, for instance, look into setting up a fake DNS server with meaningless information thats accessible to the greater Internet, while you have a server with specific information to use inside your LAN. [1] At any rate, dont let the outside world see a meaningful name for your VPN server, such as avtunnel.caffeine.net, pptp-gw.caffeine.net, or even win-nt.caffeine.net. Any one of these tells an attacker what type of system it is, and what vulnerabilities can be exploited. Thats why many network administrators will follow some theme, such as Dr. Seuss characters, when naming hosts. Its a good way to give meaningless yet easy to remember names to systems— not just an attempt to be cute. We recommend you set up an alternate DNS server for internal use anyway; this way you can give all servers more meaningful names for Intranet users.10.5 Keeping Yourself Up-to-Date
Its a good idea to keep your VPN up-to-date, but dont be in a rush to upgrade just because youre looking for a new feature or two. New software is notorious for introducing as many problems as it patches. Here are the primary reasons to upgrade your VPN software: • Theres a security hole in the product you currently use. • Theres a bug that causes system problems such as crashes, memory leaks, or networking problems. • The current version isnt compatible with another product on your network, or a product that the remote users have, and the new version improves interoperability. • The new version has several features essential to the operation of your VPN. Finding information on VPNs is currently like trying to stargaze in the middle of Las Vegas— theres a lot of marketing hype out there, but practical information tends to get washed out. Nonetheless, weve compiled into Appendix B a short list of things to keep up with in the world of VPNs. 1 A discussion of how to set up a fake DNS host can be found in Building Internet Firewalls, by D. Brent Chapman and Elizabeth D. Zwicky OReilly Associates. 167Chapter 11. A VPN Scenario
If you havent gotten enough of the virtual private network yet, this chapter will cover a real, live, up and running VPN. Weve covered the theory and some general cost-to-benefit analysis, and now we move on to some actual products working in a production environment. Though we have used specific products here like Ascend and Cisco, you may well find that other solutions better fit your enterprise. In other words, this chapter isnt VPN law, just an example.11.1 The Topology
Well call the company in this case study Immediate PC. It manufactures and sells computer parts and peripherals. About a year ago, Immediate PC made the commitment to standardize its network communications between its various sites over the Internet. Naturally, their main concerns were security, cost, and reliability. Communication needs at Immediate PC are like those at most companies. Sales agents in the field must communicate with manufacturing managers at the factories to order and ensure production of needed stock. The retail store arm of the company also communicates with shipping, manufacturing, and several other departments on a daily basis. Various factories and other divisions across the country must send and obtain data to keep their operations flowing. Several different platforms are used at various levels of the organization. The main corporate network is comprised of Windows NT servers and Windows NT or Windows 95 workstations. Additionally, there are several Unix servers of various flavors. Remote access users employ a variety of operating systems, and a few departments within the main corporate networks use Macintosh systems. Without the Internet, the flow of data and the cost associated with private lines and dial-up access were crippling operations and eating into profits. Having decided to use advanced technology to remedy the situation, Immediate PC migrated gradually from private lines and remote access to a controlled use of the Internet. Research, training, and various levels of approval preceded the move to virtual private networks. After this move, the company reduced the cost of network communication and resolved several communications problems. What emerged was the virtual private network detailed in the network diagram at the end of this chapter. The chosen architecture links a central corporate office with various remote offices, large and small, in addition to a gaggle of remote access users. The following sections detail what was needed in connections to the Internet, equipment, software, and virtual private network solutions.11.2 Central Office
The central office is the natural source of information about products and operations. Security is critical. Besides the VPN, several other Internet services are centralized here, including theParts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more