Overview
This article describes some key technical concepts, with a VPN connection. A Virtual Private Network (VPN) integration of remote workers, companies with subsidiaries and business partners over the Internet and keeps the encrypted tunnel between sites. An Access-VPN is used for remote users to connect to the corporate network. The remote workstation or laptop will go into a circuit of access, such as cable, DSL, or use local wireless Internet Service Provider(ISP). With a client-initiated model, the software on the remote workstation builds an encrypted tunnel from the laptop to the Internet service provider to use IPSec, Layer 2 Tunneling Protocol (L2TP) or Point to Point Tunneling Protocol (PPTP). The user must authenticate as an authorized user VPN with your ISP. Once completed, the ISP builds an encrypted tunnel to the corporate router or VPN concentrator. TACACS, RADIUS, or Windows servers, remote users authenticate asEmployee is allowed access to the corporate network. This term, it must authenticate the remote user, then the local domain Windows servers, Unix servers or mainframe hosts, depending on where you network account. The ISP has launched model is less secure than client-initiated model, because the encrypted tunnel from your Internet service provider to the enterprise VPN concentrator or VPN router built only. In addition to the secure VPN tunnel is being built with L2TP or L2F.
The ExtranetPartners will combine the company VPN to a corporate network by establishing a secure VPN connection from the business to the enterprise router VPN router or concentrator. Used, the specific tunneling protocol depends on whether it is a router or dial-up remotely. The options for an extranet VPN routers are connected IPsec or Generic Routing Encapsulation (GRE). Extranet use dialup connections, L2TP or L2F. The Intranet VPN will connect companies with offices in connection with asecure connection with the same process as the GRE or IPSec tunneling protocols. It 'important to note that what is VPN makes it very convenient and efficient, is using existing Internet companies to carry traffic. Consequently, many companies are choosing the IPSec security protocol of choice to ensure that the information will travel safely between the router or laptop computer and router. It IPSec 3DES encryption, IKE key exchange, authentication and includedMD5 authentication, route, authentication, authorization and provide confidentiality.
Internet Protocol Security (IPSec)
IPSec operation is significant because it uses a security protocol is dominant today, with the virtual private network. IPSec is specified by RFC 2401 and developed as an open standard for the secure transport of IP over the Internet public. The structure of the package consists of a header containing IP / IPSec Header / Encapsulating Security Payload.IPSec provides authentication and 3DES encryption with MD5. In addition, there is the Internet Key Exchange (IKE) and ISAKMP, the distribution of secret keys between IPSec peers automatic devices (routers and concentrators) for sale. These protocols are necessary for the negotiation of one or two security associations so. IPSec security association is an encryption algorithm (3DES), the hash algorithm (MD5) and a method of authentication (MD5) together. To use the access VPN implementations3 security associations (SA) for each port (transmit, receive and IKE). A corporate network with many devices IPSec peer is a trusted organization to be used for the scalability of authentication, instead of IKE / Pre-Shared Keys.
Notebook - IPSec VPN Concentrator Peer Connection
1. IKE Security Association Negotiation
2. IPSec tunnel setup
3. XAUTH request / response - (RADIUS Authentication Server)
4. FashionAnswer config / Acknowledge (DHCP and DNS)
5. IPSec Security Association
Access VPN Design
The VPN is a lever on the availability and low cost of Internet connectivity for the company central office with WiFi, DSL and cable access circuits connecting the local Internet Service Provider. The main problem is that companies should be protected as they travel over the Internet from laptops telecommuters basic office of the company. A client will be launchedused to build an IPSec tunnel from each laptop client, which ends in a VPN concentrator. Each laptop is configured with the VPN client software to run on Windows. The teleworker must authenticate before dialing a local access number, and authentication with the ISP. The RADIUS server for any dial-up as teleworkers authorized. Once this is complete, the remote to authenticate and authorize users with Windows, Solaris, mainframe or serverRestart all applications. There are two VPN concentrators, which are configured for failover with Virtual Routing Redundancy Protocol (VRRP) one of them should not be available.
Any merger between the router and firewall external links. Prevent a new feature with the VPN concentrators denial of service (DOS) attacks by external hackers could affect the availability of the network. Firewalls are configured for the IP address source and destination are allowed, theeach teleworker assigned by a default interval. How good is each application of the protocol and ports on the firewall, you need permission.
Extranet VPN Design
VPN Extranet is designed to allow secure connection from any commercial office central office. Safety is the primary goal, as the Internet to carry all the traffic used by each trading partner. This is a circuit connection from anyBusiness, which is a VPN router at the center of the company to finish for the office. Each firm and its peer VPN router at headquarters to use a router with a VPN module. The module provides IPSec encryption hardware and high-speed packet before being transported over the Internet. Peer VPN router of the company are dual-core home office several multilayer switches for the left diversity should not be one of the links will be available. It is important that the movement ofa business does not stop at another sales office. The switches are among the internal and external firewalls to connect public servers and external DNS server is used removed. This is not a safety issue, as external firewall to filter Internet traffic.
In addition, you can filter all network switches will be implemented also to avoid the routes from being advertised or failures to have business relations with the exploited toKern Office multilayer switch. Separate VLAN for each network switch will be assigned to each company in order to improve the security and traffic segmentation subnet. Level 2 external firewall will examine each packet and to allow companies to source and destination IP address, application and protocol ports they need. Meetings with business partners need to authenticate with the RADIUS server. Once completed, it will be the authentication of Windows, Solaris, orMainframe computer before all applications.