Connection Hardware and Operating System
11.5.3 VPN Package
The PPTP client is used by end users to access the VPN.11.6 A Network Diagram
Figure 11-1 shows connections from the Internet to the central office to a large office, a small office, and a remote user. It is important to note the flow of traffic throughout the VPN. PPTP servers validate incoming traffic. This encrypted traffic passes through interposing firewalls and is relayed directly to the PPTP server. The traffic is then routed to the desired internal network node. The Cisco PIX firewall, on the other hand, immediately directs authorized traffic to the network and thus provides a faster backbone for the VPN. Figure 11-1. VPN hardware, software, and protocols Regardless of the need or resources available, if your enterprise requires secure network connections over the Internet, there is a solution available. Other solutions, such as IPSec, L2F, SSH, or L2TP, would work just as efficiently. What should be noted is that your organizations needs should result in the VPN network solution chosen. 171 Appendix A. Emerging Internet Technologies A.1 IPv6 Because VPNs ultimately use the Internet as their transport medium, they are subject to the advantages and disadvantages associated with using the Internet Protocol IP. As you are probably aware, the mechanics of the Internet the TCPIP protocols rely not exactly on the familiar names that we are used to seeing in URLs, such as www.ibm.com and ftp.uu.net, but rather on a lower level addressing scheme that uses IP addresses or dotted quads. An IP address, such as 207.25.97.8, specifies precisely one computer. The IP address is the lowest common denominator separating one machine from another. A hot topic among networking professionals is that the current pool of IP addresses is drying up. Since the IP address is formed by putting 4 bytes together, with each byte having 256 combinations 2 8 , there is a limited number of IP addresses available 2 32 , or 4,294,967,296, to be exact. You may be thinking that four billion addresses is nothing to sneeze at, which is true, but the explosive growth of the Internet world-wide has caused a great strain on the system for deploying those addresses. One reason for this is that huge blocks have already been given out and the system for assigning new ones is antiquated and difficult to administer. The current version of the IP protocol is Version 4, and Version 5 disappeared while still under discussion. IP Version 6 IPv6 for short is a project supported by networking companies, technology professionals, and organizations such as the Internet Engineering Task Force [IETF], to increase the size of the IP address pool to accommodate the massive growth expected on the Internet over the next several decades. Rather than simply increasing the size of the IP address pool, the ongoing work with IPv6 addresses a whole host of architectural issues. There is a virtual mountain of Requests for Comments, or RFCs, devoted to the design and implementation of IPv6. From RFC 1887 we can see a few of the topics being explored: • Topological information included to significantly reduce routing protocol overhead • Additional levels of hierarchy with anchors built in to ease future growth • Standards for mapping service providers and subscribers to components of an IPv6 address • Address assignments for all network entities based on growth and need • Allocation of the IPv6 addresses by the Internet Registry • Multi-homing and multiple domain routing choices • IPv4 address space mapping into IPv6 • Multicast addressing • Mobile host addressing • Administrative addressing • Mechanisms for publishing routing information to third parties • A division of routing policies into host-to-router, router-to-router inter-domain, and domain-to-domain In summary, IPv6 is analogous to what the phone company was required to do to handle long distance calling. When the user prefixes an area code to the already existing number, the telephone exchange can route to that area from the outside simply by consulting the first three numbers and looking up the cityarea to which the call should be routed. Hence, a call placedParts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more