AltaVista Tunnel Extranet server
6.3.3.2 Security procedures
When you create a tunnel group, the AltaVista Tunnel Extranet server requires you to manually enter a unique username and password. Once the group is configured, the tunnel server creates a unique 1024-bit RSA authentication key for that particular group. Both of these authentication pieces may be extracted into separate ETA and key files. The ETA file contains the user group name and password, and is by default named groupname.eta. The key file is typically named groupname.key. These authorization files are needed by remote clients for connecting to and authorizing tunnel sessions to the tunnel server. Once extracted, these files should be distributed to all authorized remote clients. These security files should be handled as highly confidential information, as anyone with this file will be allowed access to the virtual private network. Distribution by floppy disk or private FTP site are semi-secure ways of distribution, but all transfers should be logged by the system administrator to maintain the integrity of the security system.6.3.3.3 AltaVista Tunnel Telecommuter Client
The tunnel client software contains a single configuration for each tunnel group to which the client has access. Thus, the user could be a sales forecaster for a manufacturing company, and have access to the Sales group for historical sales data and the Manufacturing group for factory throughput. The following parameters are specific to each group: Username This is the unique tunnel group name as it appears in the tunnel servers authentication tables. This parameter is part of the extractable ETA file from the Extranet server, or it may be entered manually. Server key ID The server key also comes from the tunnel servers authentication tables. Each group has a specific key, which allows the client access to the tunnel group. A copy of this key is provided in the extractable key file from the Extranet server. 96 Tunnel server This is the domain name or IP address of the tunnel server on the Internet and the port for which tunnel traffic is handled default 3265. First firewall The first firewall is not typically used for single remote PCs, as the traffic is transparent until received by the remote firewall. This first firewall is typically the end users ISP, through which outbound tunnel traffic passes transparently. On the Extranet server acting as an outbound tunnel client, the first firewall parameter lists the address and port default 3265 of the local firewall between the LAN and the Internet. Second firewall This is the physical address and tunnel port for the private network being accessed. Ultimately, it is the first destination for tunnel traffic, and it is relayed from the tunnel port on the firewall to the tunnel port on the Extranet server for verification.6.4 VPNs and AltaVista
AltaVistas flexibility allows an enterprise to accept several tunnel sessions to the virtual private LAN, either from a remote LAN or from remote single machine connections. The configurations here are each subtly different, because the Single Connection-to-LAN and LAN-to-LANLAN-to-WAN implementations of the AltaVista Tunnel are different. The LAN-to-LANLAN-to-WAN tunnel configurations are for an enterprise that requires two-way tunnel traffic between its two networks where an Extranet server is required on each end of the connection. This scenario is actually meant to replace traditional private leased line connections by using secure tunneling sessions over the Internet. The Single Connection-to- LAN scenario allows multiple end users to access the private network over the Internet, in a secure fashion, without being tied to a fixed IP address or a single access provider. In the following sections we show a sample configuration illustrating each scenario.6.4.1 Implementing a LAN-to-LAN Tunnel
This configuration features a firewall on each side.6.4.1.1 Sample configuration
In the LAN-to-LAN tunnel configuration shown in Figure 6-1 , LAN 1 is a corporate office connected to the Internet via a full T1 and protected with a firewall. There are four machines on the LAN: the AltaVista Extranet server, Finance, Human Resources, and Research Development. LAN 2 is a remote sales office running a second AltaVista Extranet server and three host machines. LAN 2 is connected to the Internet via 128Kbps ISDN and is protected by a firewall. This configuration is set up to illustrate the ability of the AltaVista Tunnel server to act as either an outbound or inbound tunnel router. In this example, LAN 1 is the inbound tunnel group and LAN 2 is the outbound tunnel group.Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more