How PPTP Can Bypass a Proxy Server
Chapter 6. Implementing the AltaVista Tunnel 98
The AltaVista Tunnel is a product from Digital Equipment Corporation now Compaq that supports moderately heavy use over a virtual private network connection. As virtual private networks mature, the AltaVista Tunnel continues to evolve, increasing security and adding features and functionality. Now reincarnated as the Altavista Tunnel 98, this client-server package is still a solid solution to a companys VPN needs. In this chapter we introduce some of the advantages, drawbacks, and key concepts to the functionality of the AltaVista solution. Though this is not the only virtual private networking solution, it is one that seems to be taking the lead in this still maturing field. The AltaVista Tunnel 98 is available in two versions: the Extranet Server and the Telecommuter Client. The Extranet server manages connections on the office side, while remote users dial in using Telecommuter Client. The Extranet server itself can also act as a tunnel client, allowing an entire LAN to access a tunnel to a remote LAN. The server keeps a file on each user, defining each user with a username, group name, password, and half of a digital key for the purposes of encryption. Each users client software is configured to issue this information to the server upon initiating a connection. The server secures traffic for the tunnel network with a combination of encryption and conventional authorization using usernames and passwords. This authorization scheme allows remote connections to the tunnel network from any point on the Internet. Each user belongs to one or more groups, and each group gains access to certain systems protected behind the server. The server manages the user groups name and password files, and each groups individual encryption keys. This system gives the enterprise a secure and fairly versatile solution to implementing a virtual private network, without a great expense in administrative time and headaches. While the AltaVista Tunnel Extranet Edition can be used on a computer running other network services, it is advised that this server be managed as a highly trusted system, as the AltaVista Tunnel software handles key generation and management, and authorizes remote tunnel clients. In other words, you should isolate it physically and remove non-essential software. The Telecommuter Client manages each virtual private network connection that the user has access to, allowing for multiple group configurations, keys, and routing information. The tunnel session from the end user side of the connection is transparent to the users Internet service provider, as the remote tunnel server handles all virtual IP assignments and routing information. The virtual IP address is assigned from a defined range in the Extranet servers configuration. These IP addresses are assigned to connecting users for the purpose of routing tunnel traffic. The end users PC then connects to the private network as if it were a node on the local network. The tunnel session is secure, and transparent to the end user. The AltaVista Tunnel Extranet server is available for Windows NT 4.0 SP3 or later, or Digital Unix. The AltaVista Tunnel Telecommuter Client is available for Windows NT 4.0 SP3 or later, MacOS v.8.0, or the Windows 9598 operating systems. 906.1 Advantages of the AltaVista Tunnel System
The AltaVista Tunnel system has three advantages of note: accessibility, security, and general flexibility.6.1.1 Accessibility
Other virtual private network solutions are geared toward providing secure network-to- network access over the Internet. This setup requires fixed IP addresses on both sides, and specific firewall configurations for tunnel traffic on both sides. While the AltaVista Tunnel can provide a LAN-to-LAN virtual private network, its main difference from other solutions resides in its independence from fixed IP addresses, and its user-based verification system. With the use of unique group names, passwords, and encryption keys, the AltaVista Tunnel lets a user log in from a variety of locations, free to use a different IP address each time. This allows the individual user to roam from one Internet access point to another, maintaining access to the corporate LAN. User groups make configuration easier. For instance, you could assign all salespeople to one group, letting them share a single password, and limit their access to particular machines on your corporate network that are owned by the sales organization. User-group authentication, rather than IP authentication, is the functional widget that allows roaming access. The inbound Extranet server is configured with tunnel groups that have specific group usernames, passwords, and individual tunnel keys. These groups, once verified, are routed from a range of dynamically assigned virtual IP addresses to ranges of physical IP addresses on the local network. This allows certain groups of users from the Internet access to specific machines or groups of machines on the local net. The authentication and encryption information is shared by all users authorized to access each specific tunnel. Each user configures an AltaVista Tunnel Telecommuter client with the appropriate username, password, and session key, and connects to the corporate private LAN.6.1.2 Security
The Tunnel is quite state-of-the-art as far as encryption and authentication go.6.1.2.1 Three-part encryption technique
The AltaVista Tunnel initially employs RSAs 1024-bit public key exchange technology to provide authentication between tunnel participants. After the initial authentication, the tunnel switches to RSAs RC4 128-bit secret key encryption, which seals all data into secured cryptographic packets for transport to the receiving tunnel client. The receiving tunnel client then decrypts these sealed packets into a readable form. Tunneling data remains encrypted until it is received by the Extranet Server, ensuring data security even within the trusted network. Data integrity of the encrypted packets is transparently checked using RSAs MD5 checksum algorithm, verifying that the data has not been tampered with via transport. Finally, AltaVista Tunnel exchanges new encryption keys among tunnel clients from 30 minutes to 1,440 minutes 1 day during the tunnel session, depending on the configuration parameters set on the server. This re-keying operation happens automatically and is transparent to the various users on the tunnel.Parts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more