This action might not be possible to undo. Are you sure you want to continue?
• VPN Review • Tunneling • IPsec • L2TP • Attacks Against VPNs • Deploying VPNs in WLANs
The following are some key features of VPNs: • Encrypt traffic either between two points or two entire networks • Usually software-based (rather than hardware-based) • Provide variable levels of encryption. militated largely by export restrictions .
including the following: • Facilitate secure and easy inter-office communication • Provide inexpensive network access for mobile employees • Provide full network access for telecommuters .VPN Review A VPN enables you to establish a secure. VPNs provide several benefits. encrypted network within a hostile. public network such as the Internet.
By using a VPN.VPNs provide secure. remote clients can connect through a public network such as the Internet. • Network-to-Network (Site-to-Site Model)— In this configuration. the remote client can become part of the company network. one branch office network can connect through a public network such as the Internet to another branch office network. encrypted communication in two ways: • User-to-Network (Remote-Access Model)— In this configuration. This configuration eliminates the need for an expensive wide-area network (WAN). This configuration effectively replaces the remote dial-in or authenticated firewall access model. .
However. VPNs are secure communication solutions that take advantage of public networks to lower your costs. Some challenges involved in establishing VPNs are as follows: • Connection recovery • Scalability of traffic and users • User management and client deployment • Speed • Uptime • Global interoperability . VPNs have their share of problems.Thus.
Tunnelling hides the private IP address during delivery through a public network. permitting the payload to be processed with more specificity. • Security— Tunnelling can provide added security features such as encryption.Tunnelling Tunnelling safely wraps packets inside other packets to protect them on their journey. • Transporting non-IP payloads— Tunnelling enables you to transport non-IP payloads (such as IPX or AppleTalk packets) through standard OSI stack layers and the Internet by wrapping the payload with an IP and a tunnelling protocol header. authentication. and so on. • Forwarding— Tunnelling allows data to be relayed to a specific location at the destination. . Tunnelling provides the following features: • Masking private addresses— The IP addresses inside your organization often differ from those on the Internet.
as well as a related Internet Key Exchange (IKE) protocol. IPsec provides integrity protection. authentication. It is an architecture protocol. and is defined by IETF RFCs 2401–2409. IPSec delivers machine-level authentication and encryption for VPNs based on L2TP (Layer 2 Tunneling Protocol).IPsec • Internet Protocol Security (IPsec) has emerged as the leading suite of protocols governing the use of VPNs. . and optional privacy and replay protection services.
and integrity. but not privacy. . • IP Protocol 51— This is the Authentication Header (AH) format. authenticity. It defines authenticity and integrity. It defines privacy.• The IPsec packets comprise the following types: • IP Protocol 50— This is the Encapsulating Security Payload (ESP) format.
Transport mode secures an existing IP packet from source to destination. .• IPsec can work in two modes: transport mode and tunnel mode. Both modes enable encapsulation in ESP or AH headers. whereas tunnel mode places the packet into a new IP packet that's sent to a tunnel endpoint in the IPsec format.
L2TP is a result of the combination of the L2F and PPTP standards. .• Layer 2 Tunneling Protocol (L2TP) is the leading protocol for Layer 2 implementations of VPNs.
At one time. and Generic Routing Encapsulation (GRE)-encapsulated PPP frames for tunneled data. PPTP uses a TCP connection for tunnel maintenance. It was designed to provide authenticated and encrypted communications without requiring a public key infrastructure. L2F was a popular VPN tunneling protocol in its own right. . As a VPN protocol. • PPTP • Point-to-Point Tunneling Protocol (PPTP) is Microsoft's protocol for VPNs. but lack of grassroots support by Cisco killed it.• L2F • Cisco originally developed L2F as a mechanism for setting up UDP- encapsulated tunnels. PPTP lost ground to the popular industry-standard IPSec and was rolled into L2TP.
ADSL DSLAM. a user obtains a L2 connection to a Network Access Server (NAS) using one of a number of techniques (dial-up POTS. and so on) and then runs PPP over that connection. a user has an L2 connection to an access concentrator (for example. ADSL. • L2TP • L2TP extends the PPP model by allowing the L2 and PPP endpoints to reside on different devices interconnected by a packet-switched network. Typically. ISDN. In such a configuration. This segregates the processing burden of PPP packets from the termination of the L2 circuit. With L2TP. The concentrator then tunnels individual PPP frames to the network access server.• PPP • PPP defines an encapsulation mechanism for transporting multiprotocol packets across Layer 2 (L2) point-to-point links. modem bank. and so on). the L2 termination point and PPP session endpoint reside on the same physical device. .
In reality. VPNs are vulnerable to exploits by hackers: client attacks and server attacks. Like all technology. . such as server-to-server. the same exploits also apply to other VPN configurations. but they are not a panacea.Attacks against VPNs • VPNs are remarkable tools for enhancing security.
you painstakingly set up VPN access for employees to obtain wireless access. because VPNs encrypt their tunnels. Next. he now has a fully encrypted tunnel into the heart of your corporate network. For this reason. The hacker has now easily bypassed your fortifications.Client Attacks • Remote clients are the Achilles heel of VPN security. Imagine spending millions of dollars to purchase the finest firewalls and IDS systems for your enterprise network. Because VPNs tunnel. . suppose a hacker targets and then backdoors an employee's PDA. you might have foiled your own signature-based IDS systems. user education is key in maintaining the integrity of your VPN. and now has the keys to the kingdom. Suddenly. • In addition. However. all the IT department's effort and money is flushed down the toilet. The hacker has turned your own weapons against you. they automatically bypass most of your perimeter defenses. • Worse.
A chain is only as strong as the weakest link. For example. you introduce weaknesses. session hijacking. For example. VPNs might also be vulnerable to cryptographic attacks.S. when you interface VPNs of varying cryptographic strength. . and even buffer overflows. if your VPN is deployed worldwide. it might not help to use 128-bit encryption if your enterprise allows full access from remote machines that are limited to 40-bit encryption. • In addition.Server Attacks • VPN servers are vulnerable to the same attacks from which all networked machines suffer. This includes attacks ranging from denial-of-service. because of ludicrous export restrictions on cryptography. Theoretically. law might prohibit you from exporting the strong version of cryptography to your foreign subsidiaries. U.
In this case. a rogue access point installed on a user machine sits inside perimeter defenses and allows the hacker a wideopen backdoor. The rogue access point is often installed by an employee who wants wireless access at work. or a network administrator who has forgotten about a prior test installation.Deploying VPNs in WLANs The most common business configuration of wireless access points in use today. .
a hacker could sniff the connection from the wireless user to the firewall and walk away with a username and password. as you learned earlier in the book. The fact that the sniffing was done wirelessly makes it all the more dangerous. wireless users have to pass through the corporate firewall ruleset. . the wireless access point is placed outside the corporate firewall. In this case. For example. such a configuration is still open to attack. Thus.• A better configuration. However. the same as hardwired (landline) users must.
in order to do so. However.• The best configuration. In this case. the wireless user still has to pass through the corporate firewall. Because the communication passes through an encrypted tunnel. . it is resistant to sniffing from nearby hackers. he must now also authenticate with the VPN.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.