Remote-Access VPN
Remote-access, also called a virtual private dial-up
network (VPDN), is a user-to-LAN connection used by a company that has
employees who need to connect to the private network from various remote
locations.
a large remote-access VPN will outsource to an enterprise
service provider (ESP). The ESP sets up a network access server (NAS) and
provides the remote users with desktop client software for their computers. The
telecommuters can then dial a toll-free number to reach the NAS and use their
VPN client software to access the corporate network.
Remote-access VPNs permit secure, encrypted connections
between a company's private network and remote users through a third-party
service provider.
Remote
Access VPN connects the telecommuters, mobile users, and in some instances smaller
remote offices with minimal traffic to the enterprise WAN and corporate computing
resources.
Site-to-Site VPN
Through the use of dedicated equipment and large-scale
encryption, a company can connect multiple fixed sites over a public network
such as the Internet. Site-to-site VPNs can be one of two types:
• Intranet-based
If a company has one or more remote locations that they wish to join in a single
private network, they can create an intranet VPN to connect LAN to LAN. Intranet
VPN connects fixed locations such as branch offices and home offices
• Extranet-based
- When a company has a close relationship with another company (for example, a
partner, supplier or customer), they can build an extranet VPN that connects
LAN to LAN, and that allows all of the various companies to work in a shared
environment.
Extranet VPN connects business
partners such as suppliers and customers
VPN
Security: Firewalls:
VPN uses several methods for your connection and data secure:
•
Firewalls
• Encryption
• IP Sec
• AAA
Server
firewall
provides a strong barrier between your private network and the Internet.
We
can set firewalls to restrict the number of open ports, what type of packets
are passed through and which protocols are allowed through.
VPN
Security: Encryption
Encryption is the process of taking all the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode. Most computer encryption systems belong in one of two categories:
· Symmetric-key encryption
· Public-key encryption
In symmetric-key encryption, each computer has a secret key (code) that it can use to encrypt a packet of information before it is sent over the network to another computer. Symmetric-key requires that you know which computers will be talking to each other so you can install the key on each one.
Symmetric-key encryption is essentially the same as a secret code that each of the two computers must know in order to decode the information. The code provides the key to decoding the message.
The
Steps:
1. create a file (in this case an email message)
2.
file is encrypted using symmetric key encryption
3.
symmetric key is encrypted using the receiving computer’s public key
4.
Both encrypted items (file and symmetric key) are sent to the receiving
computer
5.
receiving computer uses its private key to decode the symmetric key
6.
receiving computer uses the included symmetric key to decode the original file
7.
recipient is able to view the contents of the file.
Public-key encryption uses a combination of a private key and a public key. The private key is known only to your computer, while the public key is given by your computer to any computer that wants to communicate securely with it. To decode an encrypted message, a computer must use the public key, provided by the originating computer, and its own private key. A very popular public-key encryption utility is called Pretty Good Privacy (PGP), which allows you to encrypt almost anything.
VPN
Security: IPsec
Internet
Protocol Security Protocol (IPsec) provides enhanced security features such as
better encryption algorithms and more comprehensive authentication.
IPsec
has two encryption modes: tunnel and transport. Tunnel encrypts the header and
the payload of each packet while transport only encrypts the payload. Only
systems that are IPsec compliant can take advantage of this protocol. Also, all
devices must use a common key and the firewalls of each network must have very
similar security policies set up. IPsec can encrypt data between various
devices, such as:
· Router to router
·
Firewall to router
·
PC to router
·
PC to server
VPN Security: AAA Servers:
AAA (authentication, authorization and accounting) servers are used for more secure access in a remote-access VPN environment. When a request to establish a session comes in from a dial-up client, the request is proxied to the AAA server. AAA then checks the following:
· Who you are (authentication)
· What you are allowed to do (authorization)
· What you actually do (accounting)
