INTERNET SECURITY AND VPN NETWORK DESIGN

Overview

This essay discusses a little necessary technical concepts compared with a VPN. A Virtual Private Network (VPN) integrates remote employees, association offices, and commercial operation partners regulating the Internet and secures encrypted tunnels in in in in in between locations. An Access VPN is used to bond remote users to the craving network. The remote workstation or laptop will make use of an entrance circuit such as Cable, DSL or Wireless to bond to a inner Internet Service Provider (ISP). With a client-initiated model, program on the remote workstation builds an encrypted hovel from the laptop to the ISP regulating IPSec, Layer 2 Tunneling Protocol (L2TP), or Point to Point Tunneling Protocol (PPTP). The user contingency substantiate as a accessible VPN user with the ISP. Once which is finished, the ISP builds an encrypted hovel to the association VPN router or concentrator. TACACS, RADIUS or Windows servers will substantiate the remote user as an worker which is authorised entrance to the association network. With which finished, the remote user contingency afterwards substantiate to the inner Windows domain server, Unix server or Mainframe host depending on where there network comment is located. The ISP instituted indication is reduction secure than the client-initiated indication given the encrypted hovel is built from the ISP to the association VPN router or VPN concentrator only. As well the secure VPN hovel is built with L2TP or L2F.

The Extranet VPN will bond commercial operation partners to a association network by bureau building a secure VPN tie from the commercial operation partner router to the association VPN router or concentrator. The specific tunneling custom employed depends on either it is a router tie or a remote dialup connection. The options for a router continuous Extranet VPN have been IPSec or Generic Routing Encapsulation (GRE). Dialup extranet connectors will implement L2TP or L2F. The Intranet VPN will bond association offices opposite a secure tie regulating the same routine with IPSec or GRE as the tunneling protocols. It is critical to note which what creates VPN’s really price in effect and fit is which they precedence the existent Internet for transporting association traffic. That is because most companies have been selecting IPSec as the confidence custom of preference for guaranteeing which report is secure as it travels in in in in in between routers or laptop and router. IPSec is comprised of 3DES encryption, IKE key sell authentication and MD5 track authentication, which yield authentication, authorisation and confidentiality.

Internet Protocol Security (IPSec)

IPSec operation is value observant given it such a prevalent confidence custom employed currently with Virtual Private Networking. IPSec is specified with RFC 2401 and grown as an open customary for secure ride of IP opposite the open Internet. The parcel make up is comprised of an IP header/IPSec header/Encapsulating Security Payload. IPSec provides encryption services with 3DES and authentication with MD5. In further there is Internet Key Exchange (IKE) and ISAKMP, which automate the placement of tip keys in in in in in between IPSec counterpart inclination (concentrators and routers).  Those protocols have been compulsory for negotiating one-way or two-way confidence associations. IPSec confidence associations have been comprised of an encryption algorithm (3DES), crush algorithm (MD5) and an authentication routine (MD5). Access VPN implementations implement 3 confidence associations (SA) per tie (transmit, embrace and IKE). An craving network with most IPSec counterpart inclination will implement a Certificate Authority for scalability with the authentication routine instead of IKE/pre-shared keys. 

Laptop – VPN Concentrator IPSec Peer Connection   

1. IKE Security Association Negotiation 

2. IPSec Tunnel Setup

3. XAUTH Request / Response – (RADIUS Server Authentication)

4. Mode Config Response / Acknowledge (DHCP and DNS)

5. IPSec Security Association

Access VPN Design

The Access VPN will precedence the accessibility and low price Internet for connectivity to the association core bureau with WiFi, DSL and Cable entrance circuits from inner Internet Service Providers. The main emanate is which association interpretation contingency be stable as it travels opposite the Internet from the telecommuter laptop to the association core office. The client-initiated indication will be employed which builds an IPSec hovel from each customer laptop, which is consummated at a VPN concentrator. Each laptop will be configured with VPN customer software, which will run with Windows. The telecommuter contingency initial dial a inner entrance series and substantiate with the ISP. The RADIUS server will substantiate each dial tie as an certified telecommuter. Once which is finished, the remote user will substantiate and sanction with Windows, Solaris or a Mainframe server prior to starting any applications. There have been twin VPN concentrators which will be configured for destroy over with practical routing excess custom (VRRP) should one of them be unavailable.

Each concentrator is continuous in in in in in between the outmost router and the firewall. A brand new underline with the VPN concentrators forestall rejection of use (DOS) attacks from outward hackers which could start network availability. The firewalls have been configured to assent source and finish IP addresses, which have been reserved to each telecommuter from a pre-defined range. As well, any concentration and custom ports will be accessible by the firewall which is required.

Extranet VPN Design

The Extranet VPN is created to concede secure connectivity from each commercial operation partner bureau to the association core office. Security is the first concentration given the Internet will be employed for transporting all interpretation trade from each commercial operation partner. There will be a circuit tie from each commercial operation partner which will cancel at a  VPN router at the association core office. Each commercial operation partner and the counterpart VPN router at the core bureau will implement a router with a VPN module. That procedure provides IPSec and high-speed hardware encryption of packets prior to they have been ecstatic opposite the Internet. Peer VPN routers at the association core bureau have been twin homed to opposite multilayer switches for couple farrago should one of the links be unavailable. It is critical which trade from one commercial operation partner doesn’t finish up at an additional commercial operation partner office. The switches have been located in in in in in between outmost and inner firewalls and employed for joining open servers and the outmost DNS server. That isn’t a confidence emanate given the outmost firewall is filtering open Internet traffic.

In further filtering can be implemented at each network switch as well to forestall routes from being advertised or vulnerabilities exploited from carrying commercial operation partner connectors at the association core bureau multilayer switches. Separate VLAN’s will be reserved at each network switch for each commercial operation partner to urge confidence and segmenting of subnet traffic. The harvesting machine 2 outmost firewall will inspect each parcel and assent those with commercial operation partner source and finish IP address, concentration and custom ports they require. Business partner sessions will have to substantiate with a RADIUS server. Once which is finished, they will substantiate at Windows, Solaris or Mainframe hosts prior to starting any applications.

Network Planning and Design Guide is accessible at Amazon.com and eBookmall.com

Shaun Hummel is an writer of assorted technical books and has a web site focused on report record pursuit poke solutions and certifications.

http://www.networkjobsolutions.com

Technorati Tags: Design, internet, network, Security

Related posts:

1. FIREWALL INTERNET SECURITY – THE BASICS OF A FIREWALL Firewalls Enterprise companies currently occupy firewalls which do stateful...
2. NETWORK SECURITY MODEL – DEFINING AN ENTERPRISE SECURITY STRATEGY Overview These have been the 5 initial confidence groups which...
3. WIRELESS NETWORK SECURITY Network Authentication Process The routine of a customer comparing and...
4. MANAGING CISCO NETWORK SECURITY [ILLUSTRATED] (PAPERBACK) Don’t wait for until it’s as well late to...
5. CISCO SYST. PIX 501 SECURITY APPLIANCE PIX 501 total user bndle 3DES licenses 4-port 10/100...

Related posts brought to you by Yet Another Related Posts Plugin.

Tagged with: Design • internet • network • Security

Filed under: Cisco hardware

Like this post? Subscribe to my RSS feed and get loads more!