Three-part encryption technique Security
6.1.2.2 Support for an emerging security standard
RSA has recently begun development of the Secure Wide Area Network SWAN standard, which is based on IPSec. Though AltaVistas security methods were developed by AltaVista, they are committed to supporting the emerging standard once it has been finalized. They will likewise continue to support their proprietary security methods as well. No announcements for IPSec support were apparent for AV Tunnel 98.6.1.2.3 Support for Security Dynamics SecureID
You can get even more secure authentication by using the AltaVista Tunnel 98s support for Security Dynamics SecureID authentication tokens. By generating random access codes every 60 seconds, SecureID tokens provide a further line of defense against persons trying to gain unauthorized access to the secure private LAN. The Extranet server actually acts as a client for the ACESERVER, the guts of the SecureID system.6.1.3 Flexibility
The AltaVista Tunnel 98 works with many types of conventional firewalls. The LANs firewall is configured as a generic relay, which automatically forwards all traffic addressed to the tunnel port on the firewall to a unique port on the tunnel server. The unique tunnel port and the generic relay configuration not only hide the physical IP address of the tunnel server, but also log all attempts to connect to the tunnel network at both the firewall and the tunnel server. Other firewall configuration options for IP tunnels may be found in Chapter 9 .6.2 AltaVista Tunnel Limitations
While it includes a full-featured tunnel setup, the AltaVista Tunnel still has a few limitations that may render it inappropriate for some enterprises needing a virtual private network.6.2.1 Platform Limitations
Given its limited support of platforms, AltaVista Tunnel is definitely not the answer for the enterprise with a mix of operating systems. AltaVista has released a Telecommuter client package for the MacOS, though there is no mention of this release on their tunnel web site. However, a demo copy of the Mac Telecommuter Client software is available for download at the AltaVista Tunnel 98 site listed at the beginning of this chapter. No versions have been announced for flavors of Unix other than Digital Unix, and AltaVista has gone so far as to drop support for both BSDOS and FreeBSD in this revision of their software. 926.2.2 Security Drawbacks of User Authentication
Though the security features are one of the most powerful aspects of the AltaVista Tunnel, user-based authentication still poses some security concerns. In order to provide the flexibility to log in from anywhere, the product removes one of the most common types of authentication normally used by VPNs: checking the incoming IP address. Network administrators, already burdened with users losing or compromising passwords to the system, must stress extra care in protecting generated keys, tunnel user group names, and passwords; these are the only factors by which AltaVista Tunnel verifies its connections. As stated, the AltaVista Tunnel Extranet server should be closely managed as a highly trusted system, because compromising a tunnel key negates the purpose of the virtual private network in the first place.6.3 How the AltaVista Tunnel Works
Each AltaVista Tunnel network consists of two sides, the inbound and outbound, both connected to the Internet in some fashion. The inbound side is the private network, which consists of some number of hosts and an AltaVista Extranet server. The outbound side can be either a single computer or another LAN. In the first case, the user would run the AltaVista Telecommuter client, and in the second, the remote LAN would have an Extranet server of its own to manage inbound or outbound tunnel traffic by hosts on its network. The Extranet server on the inbound side always manages authentication, dynamic IP assignment, and the routing of tunnel traffic for incoming connections. A simple VPN might consist of three individual users connected to the Internet via three separate ISPs. Each user is running a Telecommuter client, and has access to the tunnel group through the remote LANs Extranet server. Users have unique physical IP addresses on their respective ISPs networks. The tunnel server and hosts on the remote LAN are likewise assigned physical IP addresses. On the tunnel server, a range of virtual IP addresses is available for assignment to incoming tunnel connections. Each tunnel receives two virtual IP addresses: one for the client end and one for the server end. Tunnel traffic destined for the virtual private network is first routed, via the tunnel client software, from the clients physical IP address to its virtual IP address. This virtual IP address points to the tunnel servers virtual IP address for that connection, which, in turn, is routed to an internal host on the local networks physical IP range. In this way, the remote clients act as if they were nodes on the local network. When a remote user initiates a tunnel session with the tunnel server, an encrypted connection request is sent, which, once relayed through the firewall, is authenticated against the tunnel servers list of authorized clients. Once the request is granted, the tunnel server issues a response encrypted with the clients public key. The client decrypts this message using its own private key, and then the two exchange parts of a session key. These parts are combined to form a secret session key, which is regenerated every 30 to 1,440 minutes of the connection. The AltaVista Tunnel 98 software on both ends is installed as a separate network protocol, and is routed to a piece of software called a pseudo-adapter. The virtual IP address assigned for the tunnel connection is attached to this pseudo-adapter through which all tunnel traffic isParts
» Virtual Private Networks 2nd 1999
» How VPNs relate to Intranets
» What Are We Protecting with Our VPN?
» Firewalls How VPNs Solve Internet Security Issues
» Authentication How VPNs Solve Internet Security Issues
» Encryption How VPNs Solve Internet Security Issues
» Tunneling How VPNs Solve Internet Security Issues
» A Note on IP Address and Domain Name Conventions Used in This Book
» Packet restriction or packet filtering routers
» Bastion host What Types of Firewalls Are There?
» DMZ or perimeter zone network
» Proxy servers What Types of Firewalls Are There?
» A Brief History of Cryptography
» Cryptography: How to Keep a Secret
» Cryptography in Network Communications
» Hash algorithms Cryptographic Algorithms
» Secret key systems Cryptographic Algorithms
» Public key cryptosystems Cryptographic Algorithms
» Use of Cryptosystems and Authentication in a VPN
» ESP Encapsulating Security Payload
» AH Authentication Header VPN Protocols
» Internet Key Exchange, ISAMKPOakley
» ISO X.509 v.3 Digital Certificates
» LDAP Lightweight Directory Access Protocol Radius
» PPTP Point-to-Point Tunneling Protocol
» Basic Firewalling Methodologies for Compromising VPNs
» Ciphertext-only attack Cryptographic Assaults
» Known plaintext attack Cryptographic Assaults
» Chosen plaintext attack Cryptographic Assaults
» Chosen ciphertext attack Cryptographic Assaults
» Brute force attacks Cryptographic Assaults
» Password guessers and dictionary attacks
» Social engineering Cryptographic Assaults
» Address spoofing Network Compromises and Attacks
» Session hijacking Network Compromises and Attacks
» Man-in-the-middle attack Network Compromises and Attacks
» Replay attack Network Compromises and Attacks
» Detection and cleanup Network Compromises and Attacks
» Patents and Legal Ramifications
» General WAN, RAS, and VPN Concepts
» Telco Small to Medium Solutions
» Security, scalability, and stability
» Hardwaresoftware Small to Medium Solutions
» Administration Small to Medium Solutions
» Hardwaresoftware Administration Security, scalability, and stability
» Differences Between PPTP, L2F, and L2TP
» Dialing into an ISP That Supports PPTP
» Dialing into an ISP That Doesnt Support PPTP
» Where PPTP Fits into Our Scenario
» The encapsulation process Dissecting a PPTP Packet
» Accept encrypted authentication RAS authentication methods
» Accept Microsoft encrypted authentication
» Accept any authentication, including clear text
» Data encryption PPTP Security
» Availability Features of PPTP
» Easy Implementation Features of PPTP
» Multiprotocol Tunneling Features of PPTP
» Ability to Use Corporate and UnregisteredIP Addresses
» Choosing the protocols to tunnel
» Choosing your authentication method
» IP address negotiation using DHCP
» Outbound authentication using PPTP filtering
» Filtering caveats PPTP Filtering
» Installing PPTP Filtering by IP Address
» Configuring Users for Dial-up Access
» Configuring PPTP for Dial-up Networking on a Windows NT Client
» Configuring PPTP for Dial-up Networking on a Windows 95 or 98 Client
» Setting up global PPTP parameters Setting up a port for PPTP
» Configuring PPTP on an Ascend MAX 4004
» Making the Calls Configuring and Testing Layer 2 Connections
» The Event Viewer Login problems
» The Dial-Up Networking Monitor
» ping and traceroute Connectivity Testing
» Fixed IP addresses How to Allow PPTP Through Firewalls
» How PPTP Can Bypass a Proxy Server
» Three-part encryption technique Security
» Support for an emerging security standard
» Support for Security Dynamics SecureID
» Accessibility Flexibility Advantages of the AltaVista Tunnel System
» Platform Limitations AltaVista Tunnel Limitations
» Extranet server System Considerations
» Telecommuter client System Considerations
» Planning How the AltaVista Tunnel Works
» AltaVista Tunnel Extranet server
» Security procedures The Guts
» AltaVista Tunnel Telecommuter Client
» Sample configuration Implementing a LAN-to-LAN Tunnel
» Tunnel server configuration Implementing a LAN-to-LAN Tunnel
» Firewall configuration Host configuration
» Sample configuration Implementing Single Connections-to-LAN Tunnels
» Tunnel server configuration Implementing Single Connections-to-LAN Tunnels
» Firewall configuration Implementing Single Connections-to-LAN Tunnels
» Local host configuration Implementing Single Connections-to-LAN Tunnels
» Remote PC configuration Implementing Single Connections-to-LAN Tunnels
» Sample configuration Implementing PC-to-WAN Tunnels
» Tunnel server configuration Implementing PC-to-WAN Tunnels
» Tracing the packets Implementing PC-to-WAN Tunnels
» Preparing to Install Installing the AltaVista Tunnel
» Windows NT 4.0 Installing the AltaVista Tunnel Extranet Serverfor Windows NT
» Installing the AltaVista Tunnel Telecommuter Client for Windows
» Installing the AltaVista Tunnel Telecommuter Client for MacOS
» Initial configuration Adding Routes and Dynamic Addresses
» Managing routes and dynamic IPs
» Group configuration Adding Tunnel Groups
» Tunnel client information Adding Tunnel Groups
» Tools for Tunnel Management Changing Port Settings
» Rekey Interval and Minimum Encryption Settings
» Configuring Unix-to-Windows NT Tunnel Connections
» Getting Busy Configuring the AltaVista Telecommuter Client
» Tunnel Server and Client Configuration Checks
» Local Network and Internet Gateway Configuration Checks
» Encryption Capabilities The SSH Software
» Useful sshd parameters for our purposes
» Understanding SSH authentication ssh
» Useful ssh parameters for our purposes
» The VPN Components Creating a VPN with PPP and SSH
» Setting up the master and slave Linux systems
» Creating a user account on the slave
» Setting up SSH authentication
» Configuring sudo on the slave
» Putting pty-redir on the master
» Setting up the slaves scripts
» Testing the Connection Creating a VPN with PPP and SSH
» A Performance Evaluation Creating a VPN with the Unix Secure Shell
» ISP Assigned Addresses Global Pool
» Hardware solution Advantages of the PIX Firewall
» Superior to Unix and other router firewalls
» Single point of controlfailure
» Dynamic address translation Advantages of the PIX Firewall
» PIX acts like a proxy server
» Ease of configuration and maintenance
» High-speed access Advantages of the PIX Firewall
» Links Advantages of the PIX Firewall
» Hardware solution Limitations of the PIX Firewall
» Dynamic address use Limitations of the PIX Firewall
» Budgetary considerations Limitations of the PIX Firewall
» Maintenance Limitations of the PIX Firewall
» A Sample Configuration Configuring the PIX as a Gateway
» Firewall Configuration on the PIX
» debug xlate Testing, Tracing, and Debugging
» arp Testing, Tracing, and Debugging
» show interface Testing, Tracing, and Debugging
» Offering Services to the Internet Through Conduits and the static Command
» Tunneling with the link Directive
» Choosing an ISP Managing and Maintaining Your VPN
» Connectivity Problems Solving VPN Problems
» Authentication Errors Solving VPN Problems
» Routing Problems Dealing with an ISP
» Compatibility with Other Products
» Delivering Quality of Service
» Restrict What VPN Users Can Get To
» Avoid Public DNS Information for VPN Servers and Routers
» Keeping Yourself Up-to-Date Managing and Maintaining Your VPN
» Network Connections Hardware and Operating System VPN Package
» Connection Hardware and Operating System VPN Package
» Connection Hardware and Operating System
» VPN Package Remote Access Users
Show more