1. Home
  2. Lainnya

Tunneling with the link Directive

158 Here are the commands we would enter on the PIX that we originally set up: link 5.182.95.250 1 A6B5C02 link path 6.242.188.0 255.255.255.0 5.182.95.250 Here are the commands for the new San Francisco PIX: link 1.251.174.156 1 A6B5C02 link path 192.168.2.0 255.255.255.0 1.251.174.156 The link command itself is used to associate one PIX unit with another one, and also serves to set the key that the two units will use to encrypt and decrypt packets. The link path command is used to explicitly tell the PIX that packets destined for another internal network on a friendly PIX should not be forwarded or translated as other packets are, but instead encrypted and tunneled. As you can see, setting up multiple PIX units in a large array is very simple. By duplicating the pair of commands above for every private link communication channel the PIX has, an administrator can simply and easily add, change, or remove whole tunneled sites. The PIXs encryption, which uses a separate piece of hardware, is currently restricted to a key size of 56 bits. Although no official announcement has been made, it is our guess that Cisco will provide a beefier version of its encryption card for those most paranoid about security, and for those with ultra-sensitive data to share and protect. 159

Chapter 10. Managing and Maintaining Your VPN

Now your VPN is up, and remote users and sites are connecting to it over the Internet. This doesnt mean that youre in the clear and can tuck this book onto your shelf and never think about VPNs again. Now begins the battle to keep your VPN upgraded and monitor its security—not to mention dealing with problems when users call to complain that they cant connect. Some of these problems can be taken off of your hands by using an ISP that will manage your VPN for you. Even if you go this route, a good working knowledge of what can go wrong is essential. Thats what this chapter is about. Unlike a firewall or proxy server, where you may set it up once and not touch it for months, your VPN is a more dynamic security mechanism. The main reason for this is that users rarely realize that theyre interacting with a firewall or a proxy, while logging into a VPN server may take some interaction on their part. Users with various types of equipment may access your VPN from any point on the Internet at any hour or day. Anyone who has ever run a remote access server knows the various problems dial-up users can have. Many of the same problems that apply to remote users also apply to remote access VPN users. Remote sites that are connecting to a corporate LAN might require less maintenance, however, because with a LAN you often need to set them up once, have them dial in, and thats it. In this chapter, well go over the problems that can occur and look for possible debugging information and solutions, as well as list what you should be armed with when working with an ISP on VPN issues. While this chapter cant address the specifics of your network, we can give you some general security suggestions. Its important to remember that no level of authentication or encryption can protect you if you dont have a sound security policy in place. We briefly touched on this in Chapter 1 , and Chapter 2 . Finally, youll want to keep up with the latest trends, standards, and security holes in VPN technologies, so that you can ensure that your VPN is up-to-date. Well go over a list of resources you can use at the end of this chapter and in Appendix B .

10.1 Choosing an ISP

Choosing the right ISP for your VPN connection may be one of the most important things you do. To provide the most reliable connection you possibly can, you should use the same ISP for each end of the VPN connection. The first thing to take into consideration is geography. You will want to choose an ISP that has points of presence in all of the places you need. Although local and regional ISPs might be perfect for connections within the same city or even the same state, if you need connectivity across the country you should choose a larger, national provider. Another consideration for a reliable VPN is a quality of service QoS guarantee. This is an agreement between a customer and an ISP that guarantees a certain amount of availability and bandwidth on an ISPs network. Typically QoS guarantees a certain amount of latency for your traffic on the ISPs network, typically measured in tens of milliseconds. Most national ISPs guarantee 99.5 availability on their network. QoS guarantees will appear in your ISPs service level agreement SLA with you. 160 There are also VPN services that ISPs are selling, including GTE, UUNET, and others. With these services, they operate and manage your VPN for you. Prices are variable, and are typically based on the number of sites and the total amount of bandwidth used.

10.2 Solving VPN Problems

There are numerous points of failure with VPNs. This makes tracking down the cause of a problem more difficult than it might be for a normal WAN or remote access connection. Among the possible problems are connectivity problems, authentication errors, and routing problems.

10.2.1 Connectivity Problems

Anyone familiar with maintaining or dialing into remote access servers—or into an ISP for that matter—is also familiar with the frustration of trying to pinpoint the problem of a bad connection. The main difficulty with connectivity problems is that they have so many causes. Here are a few possibilities: • Telco problems o Bad lines o Busy switch • ISP problems o Busy signals probably from a user-to-modem ratio thats too high o Bad modem or router • End-user problems o Bad modem or router o A modem or router thats incompatible with the ISPs o Configuration problem Besides these general communication problems, you may discover problems with port usage on firewalls. As youve seen, several VPN packages use specific TCP or UDP ports in order to communicate for example, PPTP uses TCP port 1723. If these ports arent open, you may not be able to make a VPN connection or transport data across the VPN. Its possible that these ports may be blocked at your ISP or on your own routers.

10.2.2 Authentication Errors

Authentication problems are common in the realm of dial-up connections, even when VPNs arent involved. Here are the two most common authentication problems: • A mismatched username or password, which occurs when either the connecting machine or the far end thinks that the username or password is something other than what it is. This is sometimes caused by a simple typographical error. Likewise, there could be mismatched keys in a public key system. • The connecting system and the destination are using different authentication methods. For instance, the connecting machine might be attempting PAP authentication, while the destination system is expecting CHAP. There is a third level of authentication problems involving public key infrastructures. Its important to use the same key exchange protocol. For example, some IPSec products allow

Dokumen yang terkait

gunadarma 20198609 ssm filkom

0 0 1

IF RPS Virtual Private Network

0 0 13

gunadarma 22198413 ssm filkom

0 0 1

Packt.Publishing.Building.And.Integrating.Virtual.Private.Networks.With.Openswan.Jan

0 0 358

ID perancangan virtual private network pada

0 1 6

LAPORAN IMPLEMENTASI VIRTUAL PRIVATE NET

0 0 31

Internet Protocol Virtual Private Network

0 0 7

Implementasi Virtual Private Network Openstack Terkoneksi Dengan Virtual Private Network Mikrotik Untuk Komunikasi Data Lebih Aman

1 5 9

OpenVPN Building and Integrating Virtual Private Networks pdf pdf

0 0 270

Graphs and Networks, 2nd Edition

0 1 476