CHAPTER
14 Real-World VPNs
VIRTUAL PRIVATE NETWORKS (VPNs) are a key technology and component in today’s computer security environment. Recall that the Internet is open to virtually any user, while an intranet is open only to individuals within your organization. A third kind of network is the extranet. Extranets lie somewhere between the Internet and an intranet.
Companies use extranets to connect with suppliers and customers, two constituencies that are essential to business processes. Extranets usually use VPN technology to ensure confidentiality and integrity of information. VPNs are becoming an increasingly important component of any successful business’s information technology plan. VPNs can substantially enhance the technological architecture of any organization’s network through the use of efficient and flexible collaborative technology.
In this chapter, you’ll learn how to do a complete VPN installation at your organization, from operating systems and VPN appliances to remote desktops.
Chapter 14 Topics
This chapter covers the following topics and concepts:
What operating system-based VPNs are
What VPN appliances are
What a remote desktop protocol is
How to use remote control tools
How to perform remote access
What terminal services are
What Microsoft DirectAccess is
What DMZ, extranet, and intranet VPN solutions are
What Internet café VPNs are
What the online remote VPN options are
What the Tor application is
How to plan a VPN implementation
What VPN implementation best practices are
Chapter 14 Goals
When you complete this chapter, you will be able to:
Create a remote control VPN using Remote Desktop
Evaluate hardware VPN devices
Experiment with Tor
Set up an Internet café VPN client
Assess online remote control products, such as GoToMyPC and LogMeIn
Configure an IPSec VPN
Operating System–Based VPNs
An operating system–based VPN is very convenient because you can refer to remote servers by their assigned Internet Protocol (IP) addresses, rather than use network address translation (NAT). This avoids problems inherent in connecting to servers behind a many-to-one NAT configuration. You can choose from several ways to install a VPN using computers running commercial operating systems. You can configure a VPN connection from a client computer using a variety of operating systems, including Windows XP, Vista, Windows 7, Linux, and UNIX.
A VPN is a hardware and software solution for remote workers, providing users with a data-encrypted gateway through a firewall and into a corporate network. VPNs were once practical only for large businesses. Today, however, most businesses—large and small—can afford the technology, and VPNs are becoming increasingly popular in the small to midsized business market. VPNs are ideal for companies with telecommuters, satellite offices, or employees who travel and need to connect to the corporate network via the Internet. If used properly, VPNs block hackers attempting to access your network to steal sensitive data. They can also save your organization a lot of money on long-distance phone calls.
As a data-encrypted tunnel over the Internet, a VPN can offer a robust and secure Internet connection for your organization. It can also be a cheap alternative to a dedicated phone line. Some solutions for small companies start as low as $200. How can you know if your organization needs a VPN? That depends on some key factors you should consider before deciding to use a VPN:
Does your organization traffic in sensitive data? For most businesses, the answer is probably yes. Most companies have customer information and records, financial records, and proprietary information in their internal networks that merit protection. On the other hand, if your organization stores its sensitive data offline or you don’t have anything online of interest to hackers, perhaps your organization doesn’t need to invest in a VPN.
Does your organization employ telecommuters, traveling employees, or other remote workers? If so, a VPN can provide two main advantages: It can offer secure network access to employees away from the office, traveling or working off-site, and it can extend the corporate network to them, enabling them to remain productive outside your office.
Does your company already use Secure Sockets Layer (SSL)–encrypted Internet pages? Some companies using Microsoft Exchange servers for e-mail, for example, may already have the encryption protection necessary for remote workers—at least for accessing their e-mail (via Outlook Web Access). In this case, the VPN is a built-in feature of the operating system. Businesses without sensitive information can use operating system–based VPNs and Web-based alternatives to a VPN for authentication and encryption, though these may be less secure.
Does your organization have more than a few employees? A VPN may be an expensive solution for a company with fewer than five employees, so some alternatives might work better for such an environment.
Suppose you’ve considered these issues and concluded that your organization does need a VPN. In this case, here are six further important factors to consider:
Consider the difference between a VPN based on customer premise equipment (CPE) and one based on an operating system. A CPE solution represents the majority of VPNs on the market and is commonly referred to as a VPN appliance. This solution is easy to set up, manage, and maintain. Windows Server 2008 Network Access is an example of an operating system–based VPN. If you have a server running Windows Server 2008, you can install the Network Policy and Access Services role and configure the server as a VPN server. This requires some expertise with Windows Server 2008 and can be a little more challenging than a CPE solution. However, the operating system–based VPN can be cheaper and easier to manage than a CPE.
Should you install the VPN yourself or use a managed service? Any competent IT staff can probably install leading commercial products from vendors such as Cisco or SonicWall. While the DIY approach provides more control over setup and usage, installing a VPN incorrectly can inadvertently open a security hole in your organization’s network. In addition, the administration and management of a VPN in-house can sometimes be complicated. Telecommunications companies such as Qwest, Verizon, and BellSouth, as well as several Internet service providers, offer managed security solutions that can save you time and money.
Do you have a firewall? A VPN cannot replace a firewall. Some administrators tend to use a VPN instead of a firewall, which is not a smart choice. The purposes of a VPN are to create an encrypted tunnel or gateway through your network’s firewall and to keep out hackers. The VPN encrypts the pieces of data, but the firewall still protects the internal network from outside threats. A VPN without a firewall doesn’t make good security sense.
Do you have an operating system–based VPN? Regardless of the strategy you end up using, make sure you have an IPSec (Internet Protocol Security)–compliant operating system. IPSec is a VPN-supporting technology included in Windows XP, Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Used with compatible VPNs, IPSec guarantees the authenticity, integrity, and confidentiality of network traffic. Interoperability with a VPN may be an issue with Macintosh systems or some variants of UNIX or Linux. If you decided to buy a VPN, make sure it is compatible with your operating system.
Do you have a wireless local area network (LAN)? The VPN should operate securely with it. A VPN can enhance the capabilities of a wireless LAN, but improperly layering a VPN on a wireless network can result in security holes. One method places the wireless LAN outside the firewall, hosting the VPN behind the firewall to ensure security. Otherwise, wireless network traffic can access systems behind the firewall, canceling the benefits of the VPN. Many organizations use layered firewalls so that the wireless network is protected from the outside while restricting access to the inside. In essence, the LAN operates in what is called a demilitarized zone (DMZ).
Can your organization tolerate a potential decrease in network performance? A VPN may cause a performance lag for internal users accessing the Internet. This happens when 10 to 15 percent of the Internet bandwidth serves as security overhead. While VPNs are great for setting up a secure connection, they can take a measurable toll on connection speed. The tradeoff is that VPNs are worthwhile investments for providing a secure connection for remote and traveling workers.
VPN Usage in Organizations
VPNs serve an organization’s computer network in two primary ways. They give remote users access to internal networks or they connect two separate offices. These are the host-to-gateway model and the gateway-to-gateway models:
Host-to-gateway VPN—In a host-to-gateway VPN, the mobile user takes specific actions to connect to the VPN. For example, the mobile user would first connect to the Internet from a remote location outside the organization. Once connected to the Internet, the user could then initiate the VPN to tunnel through the Internet. The VPN appliance or server then acts as a gateway for the user to access resources on the internal network.
Gateway-to-gateway VPN—A gateway-to-gateway VPN is used to connect two offices in different locations. For example, an organization could have a main office in Virginia Beach and a remote office in Miami. VPN appliances or servers can operate in both locations with an always-on VPN connection between them. Now users in Miami can connect to resources in Virginia Beach using this gateway-to-gateway model. In this model, users in the remote office don’t need to take any additional steps to connect. The gateway-to-gateway model is also called a site-to-site model.
VPN Appliances
One of the easiest and most cost-effective ways to provide secure access to a network is to purchase an inexpensive VPN appliance and set it up, which will take about an hour of your time. VPN appliances can make secure remote access easy.
When considering the purchase of a VPN appliance, ensure that you have the required complementary hardware in place. First, the VPN appliance must have access to the Internet. Remote users will use the public IP address assigned to the appliance to connect to it. Second, the VPN server must have access to the internal network. It will use internal routing to connect remote users from the Internet to the internal network. Of course, resources in the internal network must be on and available for the VPN users to access them.
Not long ago, VPN appliances were expensive and required client licenses for each computer in addition to the appliance itself. VPN technology was too expensive for all but the largest companies. But new products make it possible to install a VPN appliance on virtually any size network for budget-minded organizations and small office, home office (SOHO) networks. For example, Buffalo Technology’s 125 High-Speed Mode wireless secure remote gateway is a VPN gateway/firewall router and a wireless access point rolled into one neat package. Another great product is the Linksys WRV54 Wireless-G VPN broadband router, a similar product that provides robust protection for your network. You should know that some VPN appliance products on the market are designed for home installations. While these products are very easy to install, they allow only a very limited number of accounts and some of them provide relatively slow access.
Configuring a Typical VPN Appliance
Most VPN appliances are designed for simple and quick installations, with plenty of wizards and an automated setup that makes it easy even for non–computer-savvy people. All you typically need to do is to plug the appliance into your network between your ISP provider’s connection and your internal network. If your network does not have a router or hub, this device can serve that purpose as well. Once you turn on the VPN appliance, you can use any computer on the network to log on to a Web page, complete your configuration, and add user access accounts.
While VPN appliances are a secure technology, you need to take basic security measures to preserve the security of your network and remote connections. When you are configuring user account access on the VPN gateway system, for instance, always change the default settings and never use the default passwords. Also, you should give each VPN user an individual access account. In practice, that means if an employee leaves the company, you don’t have to change the access passwords for everyone—you just turn off the associated account.
Client-Side Configuration
Once you have configured your appliance, you will need to configure the software on the computers (clients) connected to the network. The systems designed for small installations assume that you will use Microsoft or Macintosh VPN client software. Some variants of Linux and UNIX may have built-in client VPN software.
Adding a VPN appliance to your office network gives you a remote access solution that lets you and your staff be more productive from anywhere in the world. Not a bad return on a few hundred dollars and an hour of your time.
Remote Desktop Protocol
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to another computer. The protocol is an extension of the ITU-T T.128 application-sharing protocol. Clients exist for most versions of Microsoft Windows, Windows Mobile, Linux, UNIX, Mac OS X, and other modern operating systems. By default, RDP uses TCP port 3389.
Remote Desktop Connection (RDC) is a built-in application that uses RDP. When RDC is enabled, you can connect to another computer, log on, and perform almost any action as if you are sitting in front of the remote computer. You can do this from a desktop PC to another desktop PC using the same operating system. In large organizations, administrators commonly use this to remotely manage servers from their desktop PCs.
RDC must be enabled on the remote computer. In most Windows operating systems, you do this by right-clicking Computer in Windows Explorer or in the Start menu and selecting Properties. You then change the Remote settings to allow remote desktop connections. This also opens port 3389 on the remote computer. If the connection goes through a firewall, port 3389 must also be open on the firewall. You can launch RDC differently in different Windows operating systems. However, one method that works in all current Windows versions is to type MSTSC at the command line. The initials represent Microsoft Terminal Services Connection.
The client can run other operating systems, such as Mac OS, Linux, or UNIX, as long as the terminal services protocol is supported. When connecting to Windows Server 2008, Windows Vista, or newer systems, you’ll need to weaken security to support the non-Microsoft clients.
GoToMyPC is another remote desktop technology that allows you to remotely access your computer from any other Internet-connected computer in the world with almost any operating system through a secure, private connection. The application is ideal for organizations that need remote desktop access for up to 20 computers. It’s an easy and secure remote-access solution that enables you to conveniently access e-mail, files, programs, and network resources from home or the road.
NOTE
Microsoft changed the name of Terminal Services to Remote Desktop Services in Windows Server 2008 R2. However, the MSTSC command still works. It’s also worth noting that Terminal Services and Remote Desktop Services have much broader usage than just connecting to remote desktops. For example, you can use these services when a Microsoft server is configured as VPN server.
Using Remote Control Tools
As companies continue to expand their networks and increasingly use remote offices and telecommuting, they need the ability to manage devices from virtually any location.
Microsoft has offered a built-in remote control solution called Remote Assistance for modern operating systems since Windows XP. It allows help desk professionals or other IT administrators to remotely control a user’s system, while the user is watching.
For example, a user may not know how to configure an application. The user calls the help desk for assistance. Instead of trying to talk the user through the steps, the help desk pro can show the user how to do it. The help desk pro can use Remote Assistance to take control of the user’s desktop. While connected, the helper will have control of the user’s desktop as long as the user allows it. The user is able to disconnect the helper at any time.
While the built-in Remote Assistance is great as a free tool, it doesn’t meet the needs of every organization. Several third-party tools are available that can provide additional features. For example, Symantec offers pcAnywhere as a solution for organizations to access and securely manage remote computers.
The pcAnywhere program supports multiple platforms for both host and remote systems, including Windows (including Vista and Windows Server 2008), Linux, and Mac. Systems can also be securely accessed from Windows Mobile/Pocket PC devices and Web browsers. The application allows organizations to easily connect to servers and endpoint devices.
Some of what pcAnywhere offers:
A feature-rich, secure, reliable remote control solution.
Compatibility with a heterogeneous host and remote platform support across Windows, Linux, and Mac OS X. All hosts can also be accessed from Microsoft Pocket PC devices or Web browsers.
Support for 64-bit environments.
A gateway option that enables real-time discovery of and connection to multiple devices behind firewalls and NAT devices, which mitigates private and dynamic IP.
Using Remote Access
VPNs allow remote users to connect to a private network over a public network. The private network is the organization’s internal network. The public network is often the Internet, but it’s also possible for an organization to use leased lines from a telecommunications company to create the VPN connection.
Remote users can be:
Salespeople on the road
Field technicians
Consultants working in customer work sites
Anyone who needs to have access to internal company resources while away
Since data transmits over a public network, you need to protect it. VPNs use tunneling protocols to establish secure connections. These tunneling protocols include different types of encryption to protect the data.
The Technology for Remote Use
Several protocols support VPNs. These include:
Point-to-Point Tunneling Protocol (PPTP)—This protocol supports Microsoft’s remote access servers and has known issues. It uses Microsoft Point-to-Point Encryption (MPPE). While PPTP is still used for some remote access solutions, IPSec and SSL-based solutions are replacing it.
Layer 2 Tunneling Protocol (L2TP)—Cisco and Microsoft collaborated to create this by combining strengths from Cisco’s Layer 2 Forwarding (L2F) protocol and Microsoft’s PPTP. It uses IPSec for encryption. A significant weakness is that IPSec can’t go through a Network Address Translation (NAT) server, since NAT breaks IPSec.
Secure Sockets Layer (SSL)–based tunneling protocols—Due to the limitations of IPSec with NAT, newer tunneling protocols use SSL for encryption. For example, Microsoft can use Secure Socket Tunneling Protocol (SSTP). VPN appliances can also use SSL-based tunneling protocols. SSL requires public key infrastructure (PKI) support to obtain and use a certificate.
Internet Key Exchange v2—Internet Key Exchange v2 (IKEv2) is an IPSec-based VPN protocol that uses NAT traversal (NAT-T). NAT-T allows IPSec traffic to pass through a NAT server. IKEv2 provides significant improvements over IKE and has been adopted by several companies such as Microsoft, in Windows Server 2008 R2; Cisco; and Openswan. Openswan is a Linux-based solution presented later in this chapter. IKEv2 requires public key infrastructure (PKI) support to obtain and use a certificate.
Each method has its advantages depending on the access requirements of your users and your organization’s IT processes. While many solutions only offer either IPSec or SSL, some vendors, such as Microsoft and Cisco, offer multiple technologies integrated on a single platform with unified management. Offering both IPSec and SSL technologies can enable organizations to customize their remote-access VPN without any additional hardware or management complexity.
SSL-based VPNs also enable remote-access connectivity from almost any Internet-enabled location using a Web browser and its native SSL encryption. It does not require any special-purpose client software to be pre-installed on the system. This makes remote access SSL VPNs capable of “anywhere” connectivity from company-managed desktops and non–company-managed desktops, such as employees’ PCs, contractor or business partner desktops, and Internet kiosks. Any software required for application access across the SSL VPN connection is dynamically downloaded on an as-needed basis, thereby minimizing desktop software maintenance.
IPSec-based VPNs are the deployment-proven remote-access technology used by most organizations today. IPSec VPN connections use pre-installed VPN client software on the user desktop, thus focusing it primarily on company-managed desktops. IPSec-based remote access also offers versatility and customizability through modification of the VPN client software. Using APIs in IPSec client software, organizations can control the appearance and function of the VPN client for use in applications such as unattended kiosks, integration with other desktop applications, and other special use cases.
Both IPSec and SSL VPN technologies offer access to virtually any network application or resource. SSL VPNs offer additional features such as easy connectivity from non– company-managed desktops, little or no desktop software maintenance, and user-customized Web portals upon login.
Choosing Between IPSec and SSL Remote Access VPNs
Both IPSec and SSL can provide the level of security needed for a VPN. The primary drawback with IPSec is that it can’t traverse a NAT server. If you are deploying a VPN server and want the connection to go through a NAT server, SSL is a sound solution.
While it is possible to use NAT traversal (NAT-T) to allow IPSec traffic to pass through a NAT server, be aware of some issues with it. For example, Microsoft has specifically recommended that NAT-T not be used, though IT professionals still recommend NAT-T with non-Microsoft hosts.
Terminal Services
Terminal Services is a built-in Microsoft Server product with multiple uses. It works in two modes: Terminal Services for Administration and Terminal Services for Applications. Other vendors also use terminal services for remote applications.
Terminal Services for Administration allows administrators to connect remotely into servers from their desktop computers. It allows them to remotely administer the server as described in the “Remote Desktop Protocol” section earlier in this chapter.
Terminal Services for Applications is the focus of this section. It allows a single server to host one or more applications for remote users. For example, suppose a legacy application does not run on Windows 7. A Terminal Services server could be configured to host the application, and multiple Windows 7 clients could then connect to the server to run the application. Each client would run a separate instance of the application in a separate memory space.
It’s also possible for a Terminal Services server to host entire desktops. For example, older computers may be running Windows 2000 and they don’t have the hardware to support Windows 7. An organization can configure a Terminal Services server to host Windows 7 desktops for these clients. The users would start the Windows 2000 computer, connect to the Terminal Services server, and then run a Windows 7 desktop.
As mentioned earlier, Microsoft renamed Terminal Services to Remote Desktop Services when it released Windows Server 2008 R2. Windows Server 2008 R2 increased the capabilities and features, but supports the older capabilities and features.
Over the past few years, many software publishers have experimented with offering hosted services. The basic idea behind hosted services architecture is that an organization does not have to purchase licenses for software applications or have the hassles of installing or maintaining those applications. Instead, an ISP or a software vendor leases the applications to the organization. The application actually runs on the service provider’s servers, and users interact with the application over the Internet.
This arrangement has some drawbacks, however. For instance, terminal services take an application’s configuration out of an organization’s direct control. It’s not uncommon to hear about network administrators who were put out of a job because the companies that they worked for decided to outsource all of their applications to a hosting provider. Another compelling argument against the use of hosted services has to do with service availability. If your Internet connection goes down, then nobody can access the hosted applications. Of course, Internet service is more reliable in some areas than others.
Terminal services for hosted applications have many benefits. The primary one is that the service provider takes care of all of the application maintenance for you. Many of these benefits are things that you just don’t get if you install the applications locally on each individual workstation or if you outsource your applications to a hosting provider. Microsoft products can provide hosted applications using TS RemoteApp and TS Web Access.
TS RemoteApp
One of the challenges with running applications on remote servers is that it looks odd to users and they have trouble adapting. TS RemoteApp is a Microsoft solution that runs on a Microsoft Terminal Services server but appears, to end users, as if it were actually running on their systems.
They don’t need to open a Terminal Services session, but instead launch the application from their Start menu or a shortcut on their computer. The application appears in a window on the users’ computers just as if it were running on the local computer.
TS Web Access
An extension of TS RemoteApp is TS Web Access. This allows TS RemoteApp applications to launch from a Web browser. This provides many possible benefits.
The TS RemoteApp applications can intertwine into Web pages and appear to launch from a Web server. In other words, the clients use a Web browser to access a Web site. From within this Web site, they can then click on a link for the TS RemoteApp application. TS WebAccess can be configured in an internal intranet or accessible to users from the Internet.
Notice that TS Web Access allows remote clients to connect to internal resources without the need for a VPN. Depending on what your remote clients need, this is a suitable substitute.
Microsoft DirectAccess
DirectAccess is a newer Microsoft solution that can be used as an alternative to a traditional Internet Engineering Task Force (IETF) VPN. It allows remote clients to connect to internal servers without initiating a VPN connection. As long as clients have Internet connectivity, they will be able to access internal resources using DirectAccess.
Microsoft introduced DirectAccess in Windows 7 and Windows Server 2008 R2 products. Once it’s configured on the clients and servers, it is relatively invisible to the clients. Client computers connect to the DirectAccess computer, which acts as a gateway to internal resources. Only resources configured to be accessible with DirectAccess can be accessed from clients. In other words, you could have 10 servers in the internal network, but choose to make only a few of them accessible.
For example, you could configure a Microsoft Exchange server (used for e-mail) with DirectAccess. When a DirectAccess-enabled Windows 7 client connects to the Internet, it would automatically connect with a DirectAccess server. When the user starts Microsoft Outlook, DirectAccess automatically makes the connection to the internal Microsoft Exchange server. In other words, users can be on the road and still use their e-mail client just as if they were in the office. The same process works for any servers that an administrator wants to make accessible on the Internet. DirectAccess can be enhanced by combining it with Forefront Unified Access Gateway (UAG). UAG gives administrators more control over the connections and enhances security. When UAG is run, a UAG server acts as the gateway between the client and the internal network. This is similar to how DirectAccess works by itself in that clients don’t need to establish a separate VPN connection.
A significant added benefit of DirectAccess is that administrators can execute control over the remote clients. For example, in a Microsoft environment, Group Policy can ensure that a system has minimum-security settings. While this is normally not possible for systems that are disconnected from the internal network, DirectAccess with UAG allows an administrator to apply Group Policy to these remote computers.
It’s also possible to use Network Access Protocol with DirectAccess. You can create policies to ensure that the remote system has other security measures in place. For example, you can ensure that the system is up to date with current security updates and that it has up-to-date antivirus software installed and enabled.
DMZ, Extranet, and Intranet VPN Solutions
A demilitarized zone (DMZ) is a physical or logical subnetwork that contains and exposes an organization’s external services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization’s LAN. An external attacker can gain access to equipment in the DMZ, but not parts of the network behind the firewall.
For example, public-facing servers that need to be accessible from the Internet are placed in the DMZ. This could include Web servers, e-mail servers, FTP servers, and more. Organizations that employ VPN servers for remote users often place them in the DMZ.
In a network, the hosts most vulnerable to attack are those that provide services such as e-mail, Web, and FTP servers to users outside of the local area network. Because of the increased potential of these hosts being compromised, they are placed into their own subnetwork to protect the rest of the network if an intruder were to succeed.
Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. For example, a Web server in the DMZ may be able to connect to a database server in the internal network, but not to any other hosts in the internal network. This allows hosts in the DMZ to provide services to both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients.
Intranet VPNs
An intranet is an internal network. While users within the intranet can access the Internet using different resources such as a proxy server, access to the internal network is severely restricted. Since traffic in the intranet is primarily from internal clients, the intranet is a trusted zone and needs fewer security measures.
An intranet VPN is a VPN that connects two or more internal networks. Earlier in this chapter, you learned about the concept of gateway-to-gateway VPNs. A gateway-to-gateway VPN provides connectivity between two locations such as a main office and a branch office. This is also known as an intranet VPN.
It’s important to realize that even though the VPN may be called an intranet VPN, it will still have to traverse a wide area network (WAN) link. Most organizations will rent access to this WAN link and it’s very rare that a company has exclusive access to it. In other words, the WAN link will be accessible to users outside the organization. The same level of security measures used in a DMZ VPN should also secure an intranet VPN.
Extranet VPNs
Extranet VPNs link customers, suppliers, partners, or communities of interest to a corporate intranet over a shared infrastructure. For example, an organization may hire a consulting company to look at different processes within the organization and provide recommendations to improve them. The organization could create an extranet VPN to allow the consultants access to some internal resources.
Extranets are commonly configured to connect via the Internet, but can use leased lines or even dedicated connections. Extranets differ from intranets in that they allow access to remote users outside of the enterprise.
Figure 14-1 illustrates an extranet VPN topology. Using digital certificates, clients establish a secure tunnel over the Internet to the enterprise. A certification authority (CA) issues a digital certificate to each client for device authentication. The CA server checks the identity of remote users and then authorizes remote users to access information relevant to their functions.
FIGURE 14-1
An extranet VPN topology.
Internet Café VPNs
An Internet café is a public location that sells Internet access, often by the minute. The café will often sell typical café items such as coffee and sandwiches. However, with the explosion of wireless in recent years, many eateries provide free wireless Internet access to bring in customers. For example, many Starbucks and McDonald’s locations provide free WiFi.
The challenge when using an Internet café or even an open wireless connection at an eatery is security. Others in the local area may be able to view data in the connection unless it’s encrypted. Since the majority of Internet traffic is not encrypted, attackers may be able to gain valuable information by capturing another user’s Internet use.
The owner of the Internet café can capture any data that passes through with a free packet sniffer such as Wireshark. Additionally, many free wireless sniffers are available that an attacker can use over a shared wireless connection to capture all of the traffic.
An alternative is to use an Internet café VPN connection. As soon as you connect with the Internet café or the wireless connection, you would connect to the Internet café VPN. This would be hosted at your organization. It will encrypt all the traffic and prevent any sniffing attacks.
For example, HotSpotVPN is a product your organization can purchase and use as an Internet café VPN connection. Once you set it up, you can direct your users to connect to it for all Internet access.
Online Remote VPN Options
GoToMyPC, LogMeIn, and NTRconnect are remote access and control solutions that which all perform extremely well. Each product is easy to set up and use, and all offer a similar set of features. While each product is similar, you should know about a few noteworthy differences.
Security
While each technology handles security slightly differently, all are extremely secure and can be safely used in any environment. LogMeIn and NTRconnect do offer a few more features than GoToMyPC. Both LogMeIn and NTRconnect provide 256-bit end-to-end encryption. GoToMyPC, on the other hand, provides only 128-bit. For example, LogMeIn and NTRconnect allow you to restrict the times that your computer can be remotely accessed and specify the IP addresses from which it can be remotely accessed—functionality that is not offered by GoToMyPC. Also, NTRconnect is the only product to provide keycard security. If you feel that you need to limit remote access times and/or restrict access to only certain IPs, then you will want to consider either LogMeIn or NTRconnect.
Wake-on-LAN Support
Wake-on-LAN is an extremely valuable feature. Most computers include power management capabilities, allowing them to turn off or go to a low power state when they aren’t being used for a time. These computers can then be awakened when they are sent a specific string of bits in a “magic packet.” When the computer receives the magic packet, it wakes up. If it was off, it will turn on. If it was in a lower power state, it will go to a full-power state.
Of the products mentioned, only NTRconnect enables you to remotely start your computer. To use GoToMyPC or LogMeIn, the remote computer must be switched on. If you work away from your home or office computer for extended periods and switch off your computer while away, you’ll probably find NTRconnect’s wake-on-LAN support to be a real benefit.
File Sharing
LogMeIn provides file-sharing functionality that enables you to e-mail a link to a file on your computer that the recipient can use to download the file (directly from your computer) at any time. To share files in this manner, you do not need to invite the person to share your desktop and you do not need to be at your computer at the time he or she downloads the file. This feature is especially useful if you frequently need to share files that are too big to e-mail.
This feature is not available with GoToMyPC or NTRconnect.
Remote Printing
GoToMyPC and LogMeIn enable you to easily print a document on the host using the printer attached to the client. However, NTRconnect does not support this feature. NTRconnect’s lack of support for remote printing is not too much of a problem, as you can easily copy a document from the host to the client (and then print it). That said, if remote printing is something that you need to do on a regular basis, you’ll probably prefer the convenience of GoToMyPC or LogMeIn.
Mac Support
With all three products, you can use a Mac as the client, but only NTRconnect enables you to use a Mac as the host. So, if you need to be able to remotely access a Mac, NTRconnect is your only choice.
The Tor Application
Tor is an application that uses “onion routing.” Generically, onion routing was designed as an architecture to limit a network’s vulnerability to eavesdropping and traffic analysis. It uses multiple proxy servers or relays to provide anonymous connections. Each proxy server knows only the details from the previous proxy server or the next proxy server.
The proxy servers provide anonymity for users by requesting access to resources and making it appear as if the proxy server is requesting the access, not the original user.
FYI
Data leakage is also a common problem with peer-to-peer (P2P) networks such as BitTorrent. Users share data they didn’t intend to. As an example, the Top Secret plans for the U.S. president’s helicopter were leaked through a P2P network and found on servers in Iran. Some people think that organizations forbid these types of applications to prevent piracy of copyrighted material. However, the primary reason is due to the inherent security risks that most people simply don’t understand. Of course, there’s nothing wrong with helping prevent the theft of copyrighted material in the process.
Tor was derived from the Onion Routing Project managed by the U.S. Naval Research Lab. However, Tor is not an acronym for The Onion Routing project. Instead, it is simply a brand name—similar to Kleenex for facial tissues. The torproject.org Web site still uses an onion as a logo; however, Tor is not all uppercase.
The goal of Tor is to allow users to browse the Internet anonymously. Instead of going directly to an Internet site, Tor uses the computers of other Tor users as relays or proxies. Any single Tor connection will go through multiple other computers.
Interestingly, even though the U.S. Naval Research Lab originally designed Tor, it’s forbidden on most government systems. The primary reason is related to data leakage. While the Tor network does provide a level of anonymity, the user never knows what other computers the request will go through. Data sent and received can be captured by any of these computers.
For example, in 2007 Dan Egerstad, a security professional in Sweden, collected usernames and passwords for 100 e-mail accounts of users at different embassies. He simply installed Tor on his system and then captured all the data that went through it. His computer was used as a proxy in the Tor network for thousands of users, and a simple protocol analyzer captured the data. More than the credentials, he also captured a significant number of sensitive e-mail messages from embassies and Fortune 500 companies.
NOTE
You can download the Openswan RPM package at www.openswan.org. The RPM package has an extension of .rpm (from the original Red Hat Package Manager standard used by many Linux distributions today). Be aware that to download the RPM version of Openswan you must have the IPSec-tools RPM package installed on your system.
Planning a VPN Implementation
VPNs create a secure data link with a branch office, remote employee, business partner, or customer that will enable or require server access behind a firewall. VPNs can provide a secure and encrypted data stream between a firewall and a remote client or server.
This section provides you with the configuration of a permanent site-to-site VPN tunnel using Openswan, one of the most popular VPN packages for Linux.
Requirements
For this implementation you will need Linux kernel 2.0, 2.2, 2.4, or 2.6.
For Linux kernels 2.0 or 2.2, use Openswan 1.0.10.
For Linux kernels 2.4 and 2.6, use Openswan 2.4.x.
For FreeBSD, OpenBSD, NetBSD, and OSX, use Openswan 2.5.x.
Before you attempt this simple SOHO Linux VPN, keep the following in mind:
The IPSec protocol on which VPNs are based will not tolerate network address translation (NAT) of its data packets. If your firewall does NAT, then you’ll have to disable it specifically for the packets that will traverse the VPN.
You should set up your Linux VPN box also as a firewall. Configure and test the firewall first, and then configure the VPN.
The networks at both ends of the VPN tunnel must use different IP address ranges. For example, the organization’s internal network may be using an IP address range of 192.168.0.1 to 192.168.0.254. The other network must use a different address range, such as 192.168.1.1 through 192.168.1.254. To avoid confusion, you may want to use completely different private address ranges for each network such as 172.16.y.z. or 10.x.y.z.
Permanent site-to-site VPNs require firewalls at both ends that use static IP addresses.
Figure 14-2 depicts an Openswan sample topology diagram of a VPN between two environments.
NOTE
In this implementation, the external IP of the machine is listed as 12.34.56.78. The gateway IP is listed as 12.34.56.1. The internal IP of the VPN server (since it has a NIC on both the inside and the outside) is 192.168.1.1 in this example. You can change it to fit your needs.
FIGURE 14-2
Openswan sample topology diagram.
FIGURE 14-3
Installing Openswan from the source.
FIGURE 14-4
Using Openswan’s userland-only install.
Installation
You can install Openswan in two different ways: by performing an RPM install or by installing it from source libgmp development libraries.
Performing an RPM Install
You’ll find different instructions for installing Openswan depending on what version of UNIX/Linux you’re using. Openswan hosts a Wiki site that includes instructions for many different types of RPM installations at http://wiki.openswan.org/. This site also includes a lot of other details on installing, configuring, and troubleshooting Openswan.
Install from the Source
As root, unpack your Openswan source somewhere in your drive, such as /usr/src. Figure 14-3 provides an example.
You now need to choose your install method. You can choose userland-only, for 2.6 kernels, or a KLIPS install for kernels 2.6 or earlier (2.0, 2.2, and 2.4). If you decide to use the userland-only install, change your new Openswan directory, and then make and install Openswan’s userland tools, as depicted in Figure 14-4.
Once you finish entering these commands you should be done with the install. Now all you need to do is to start Openswan and test your new install. If you decide to use KLIPS, you will have to make a modular of it, along with other Openswan programs you’ll need for the VPN. To do so, enter the command sequence shown in Figure 14-5, which will change to your new Openswan directory, make the Openswan module, and install it all.
NOTE
Kernel IP Security (KLIPS) modifies the Linux kernel to support IPSec protocols.
FIGURE 14-5
Performing an Openswan’s KLIPS install.
FIGURE 14-6
Link KLIPS statically into your kernel.
FIGURE 14-7
Starting Openswan.
At this point, you can actually enhance the security of the VPN by using NAT traversal (NAT-T) support. NAT-T is a method for encapsulating IPSec ESP packets into UDP packets for passing through routers or firewalls employing Network Address Translation (NAT). To deploy NAT-T, you need to patch and rebuild your kernel. However, rebuilding the kernel is a risky operation and so should be approached cautiously.
To link KLIPS statically into your kernel (using your old kernel settings) and install other Openswan components, just follow the commands listed in Figure 14-6, then reboot your system and test your install.
Start Openswan
To start Openswan, enter the command shown in Figure 14-7.
This step is not necessary if you have rebooted your system, as Openswan will launch automatically after it’s been successfully installed.
You can take additional steps to secure the VPN connection. For example, you can use certificate-based keys to secure the connection. You can follow the steps in an excellent walk-through here: http://www.linuxhomenetworking.com/wiki/index.php/
Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs.
Deployment
Before you deploy your VPN, you need to start Openswan on both VPN devices for the new /etc/ipsec.conf settings to take effect. You can do that by issuing the following commands:
Once that’s done, it’s time for you to initialize the tunnel. To initialize it you can use the ipsec command to start the tunnel net-to-net. Be sure to issue the command simultaneously on the VPN boxes at both ends of the tunnel. The IPSec SA established message highlighted in Figure 14-8 signifies a successful deployment.
FIGURE 14-8
Successfully deploying the Openswan VPN.
Testing and Troubleshooting
To check that you have a successfully installed VPN you should run the command ipsec verify. If your installation was successful, you should see a screen display similar to the one depicted in Figure 14-9.
If any of these first four checks fails, check the Troubleshooting section below on the installation screen.
Firewalls can interfere with Openswan, so you’ll want to pay attention to your firewall settings. Make sure you allow UDP 500 and ESP (protocol 50) through the firewall. This is necessary because for IPSec traffic to traverse through a firewall, you need the following ports/protocols open in both directions:
Protocol 50 ESP
Protocol 51 AH (optional)
UDP port 500 IKE
UDP port 4500 (if you are using NAT traversal to tunnel through NAT/other firewalls)
The Smoothwall firewall works well with Openswan. You will need to do the following:
Create some name for the remote VPNs in the zones file.
Describe which IPSec interface to use based on the names in the zone file.
Describe how the networks named in the zones file interact in the policy file.
Define the public IP address of the remote sites in the tunnels file.
Smoothwall automatically makes the rules necessary to allow IPSec for the networks named in the tunnels file.
NOTE
Another alternative for a firewall to work with Openswan is Shorewall. This firewall also works well with IPSec and Openswan. Best of all, you will find comprehensive documentation at their Web site at http://www.shorewall.net.
FIGURE 14-9
Testing Openswan’s install.
TABLE 14-1 VPN implementation best practices. |
|
DO |
DON’T |
Passwords |
Do change the original password to something you will remember. |
Don’t write down your password unless it will be stored in a safe. |
Software |
Do buy or upgrade antivirus detection software.
Do update your virus definitions daily.
Do check frequently for updated OS (operating system) patches and application patches. |
Don’t go without antivirus software.
Don’t ignore OS and application updates/patches.
Don’t use unsafe applications, such as peer-to-peer file sharing tools or applications of unknown origin. |
Firewalls |
Do enable built-in firewalls. Do use external standalone firewalls whenever possible. |
Don’t go without either a built-in or standalone firewall. |
Hardware |
If connecting via a wireless interface, do disconnect or disable the wired network interface.
If connecting via a wired interface, do disconnect the wireless.
Do use the VPN for work purposes only. |
Don’t enable or connect more than one network interface while using a VPN-connected computer.
Don’t allow people to use the computer who might do so unsafely. |
Services and protocols |
Do disable any unneeded services or protocols. |
Don’t run default services and protocols if they aren’t needed. |
|
|
|
VPN Implementation Best Practices
The VPN is only as safe as the machine it is used on. Before deploying a VPN, review the implementation best practices, listed as dos and don’ts, in Table 14-1.
Additional steps you can use for the VPN server include:
Use strong authentication—Ensure that only authorized clients can connect. Since the VPN server will have a public IP address, it’s accessible from an Internet user anywhere in the world. If someone can easily log on to the VPN server, that person can easily access your Internet network.
Use strong encryption—The two primary encryption protocols used in VPNs today are IPSec and SSL. Either of these is strong enough to protect a VPN, but other protocols should also be carefully evaluated.
Protect the VPN server behind a firewall—Whether you’re using a host-to-gateway or gateway-to-gateway configuration, you should not put the VPN server directly on the Internet. Instead, place it behind a firewall such as in a DMZ configuration. This will provide a layer of protection from Internet attacks.
CHAPTER SUMMARY
This chapter discussed the different types, design, configuration, implementation, and testing of VPNs. It also discussed the main VPN technologies available on the market and best practices in their implementation. VPNs can provide remote clients access to your internal network in a host-to-gateway configuration. They can also provide access between two offices in the same organization using a gateway-to-gateway model.
Many different VPN applications are available. Microsoft provides VPN solutions built into the server operating system. Cisco and other vendors sell VPN appliances you can install and configure easily. You can also use UNIX or Linux systems and install free VPN solutions such as Openswan.
VPNs are increasingly becoming a part of everyday life on the Internet. Many people use them to gain access to resources in their offices, such as e-mail servers and other intranet resources. This trend is certain to become more popular as many companies are finding it cheaper for their employees to work from home, relieving them of the need to lease additional office space.
Site-to-site VPNs will also continue to be deployed as companies both small and large find it increasingly necessary to share access to their main networks with remote offices. One notable area is in the realm of IP telephony, where VPNs enable all remote offices to use a single IP switchboard at the center of a VPN hub and spoke network. Intra-office communication is encrypted and the use of a single switchboard saves money.
KEY CONCEPTS AND TERMS
Customer premise equipment (CPE)
Gateway-to-gateway VPN Host-to-gateway VPN
Internet Key Exchange v2 (IKEv2)
CHAPTER 14 ASSESSMENT
1. ________ provide(s) secure communications between external users and internal servers located behind a firewall. (Multiple answers may be correct.)
A. VPNs
B. IPSec
C. Intranets
D. Extranets
E. SSL
2. A desirable feature of an operating system–based VPN is the ability to refer to remote servers by their network address translated IP addresses. True or False?
A. True
B. False
3. A VPN is also known as:
A. A neural network
B. A data-encrypted tunnel over the Internet
C. A file sharing and printing server
D. A bastion host
E. None of the above
4. Encrypted communications using Web browsers usually use the ________ protocol.
5. An easy and cost-effective way to secure access to a network is by purchasing (an) inexpensive ________.
A. Switch
B. Router
C. Antivirus software
D. Remote terminal
E. VPN appliance
6. Most VPN appliances are designed for complex installations. True or False?
7. VPN appliances are ________.
A. Not readily available
B. OS specific
C. Very expensive
D. Secure technologies
E. A and B
8. What does RDP stands for?
A. Remote Desktop Processing
B. Remote Desktop Protocol
C. Radio Demilitarized Processing
D. Recovery Dispatching Process
E. Remote Dial-up Process
9. Another name for Terminal Services is:
A. Remote Dial-up System
B. Remote Desktop Services
C. Remote Desktop System
D. Radius Dial-up Services
10. GoToMyPC is a remote desktop technology that allows you to remotely access your computer from any other Internet-connected computer in the world with almost any operating system through a secure, private connection.
A. True
B. False
11. What are two primary methods for deploying remote-access VPNs?
A. SSL and SSH
B. SSL and API
C. IPSec and SSL
D. IPSec and SSH
E. None of the above
12. Terminal Services provides the ability to:
A. Host multiple, simultaneous client sessions
B. Implement software bugs
C. Implement dynamic addressing
D. Sync proxy servers
E. All of the above
13. Terminal Services RemoteApp applications appear to users as if the applications are installed locally when they are actually running a remote server.
A. True
B. False
14. Microsoft’s DirectAccess:
A. Is an alternative to a traditional VPN
B. Is not a VPN
C. Is a mix of Microsoft Access database served through a VPN
D. Is a DDNS
E. Is an intrusion detection system
15. Users must have physical connectivity with the internal network for the DirectAccess connection to be established.
A. True
B. False
16. When performing a download and install of the RPM version of Openswan, you do not need to have the IPSec-tools RPM package installed on your machine.
A. True
B. False
17. What are the two methods of installing Openswan?
A. KLIPS and IPSec
B. RPM and source libgmp development libraries
C. By hand and automatically
D. Remotely and through a diskette
E. None of the above
18. To check that you have a successfully installed Openswan VPN you should run the command ipsec verify.
A. True
B. False