Tracing the packets Implementing PC-to-WAN Tunnels
Chapter 7. Configuring and Testing the AltaVista Tunnel
7.1 Getting Busy
Weve given you theoretical background on the AltaVista Tunnel, and now its time to get down to business: configuring it for your enterprise. In this chapter, we lay out step by step how to install, configure, test, and troubleshoot the AltaVista Tunnel Extranet server and Telecommuter client. Note that though this package is available for Unix, we only cover in depth the Windows NT9598 installation and configuration. AltaVista is kind enough to have provided a comprehensive installation and configuration guide for its Unix flavors. We do, however, cover installation requirements and considerations for all platforms available to the AltaVista client.7.2 Installing the AltaVista Tunnel
The installation of the AltaVista Tunnel on all platforms is assisted by a GUI installation program, which makes all the necessary updates to the system and installs the networking pseudo-adapters and icons. This process is fairly generic across platforms, but there are specific installation requirements for each platform. Review the next section carefully before running out and purchasing the software. The AltaVista Tunnel Extranet server for Unix is available in one version: Digital Unix. Table 7-1 shows the installation requirements for this operating system. Confirm that your system matches these attributes before installation. Table 7-1. Requirements for AltaVista Tunnel on Unix Systems Requirements Digital Unix Hardware All Alpha System OS Version 3.2c or later Memory 32 MB Hard disk space 25 MB Root privileges Yes The AltaVista Tunnel for the Windows operating system is available as an Extranet server or a Telecommuter client see Table 7-2 . Table 7-2. Requirements for AltaVista Tunnel on Windows Systems Requirements Extranet Server Telecommuter Processor and RAM See below Intel 80486 or higher with 8 MB of RAM OS NT 4.0 SP 3 or higher NT 4.0 or higher or Windows 95 Hard disk space 15 MB 5 MB Administrator access Yes NA The processor and memory requirements for the Extranet server are dependent on the number of tunnels needed for the virtual private network. Table 7-3 breaks down the minimum requirements. 108 Table 7-3. Requirements for AltaVista Tunnel on Windows for Extranets Tunnels Processor RAM 50 Intel Pentium 90 48 MB 100 Intel Pentium 133 64 MB 200 Intel Pentium 200 or Digital Alpha Processor 64 MB7.2.1 Preparing to Install
During the installation process, the AltaVista Tunnel edits the registry file on Windows NT machines, or the License database on Digital Unix. For all platforms, it installs a networking pseudo-adapter onto the operating system. In order to safe- guard your computer against corruption, you should perform a backup of the entire system. Ensure that you have Administrator privileges on the NT server or root access on the Unix platforms before installing.7.2.2 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
The Windows NT version of the AltaVista Tunnel Extranet server is distributed either as a ZIP file available for purchase from the AltaVista web site, or on CD-ROM. In NT 4.0, exit all other applications before installing. The installation procedure provides default settings that are compatible with most systems, but you may need to tweak these settings. Unless otherwise specified, all files are installed into the default directory: C:\AltaVista\Tunnel\. The installation program installs the following components to the following locations: • AltaVista Tunnel Service itnd —to the Services Control Panel • AltaVista Tunnel pseudo-adapter—to the Network Control Panel • TunMan AltaVista Management Program tunman.exe—to the AltaVista Folder • Etunnel Help File etunnel.hlp—to the AltaVista Folder • Tunnel Database File tunnel.dat—to the \AltaVista\Tunnel\Data directory • The master encryption key master.key—to the \AltaVista\Tunnel\Data\Keys directory The tunnel.dat and master.key files should not be moved from their installed directories. If they are moved, you must manually edit the Registry or the AltaVista Tunnel Extranet server will not function. The AltaVista Tunnel sets IP routing IP forwarding to be enabled and sets all tunnel ports to 3265. Though the tunnel ports can be configured manually via the Registry, disabling IP routing will likely disable the Tunnel server.7.2.2.1 Windows NT 4.0
Once again, follow these steps to achieve your VPN: 1. Log in to the Windows server as an Administrator or equivalent. 2. Either insert the AltaVista Tunnel CD-ROM or use WINZIP or PKUNZIP to extract the Tunnel server archive into a temporary directory.Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more