Internet Security System and VPN Network Design

Virtual Private Networks (VPNs) integrate remote employees, corporate offices, and business partners through the Internet and provide encrypted tunnels between sites. VPN access is used to connect remote users to a corporate network. A remote work station or laptop using an access chain, such as cable, DSL, or WLAN, to connect to a local Internet service provider (ISP). Using a client-initiated model, remote workstation software creates encrypted tunnels from laptops to ISPs using IPSec, Layer 2 Tunneling Protocol (L2TP), or PPTP. Users must authenticate as official VPN users with ISPs. After completion, the ISP arranges encrypted tunnels to the company's router or VPN hub. Models initiated by ISPs are less secure than models initiated by clients because encrypted tunnels are made by ISPs to VPN routers or VPN hubs. It also creates a secure VPN tunnel using L2TP or L2F.

Extranet VPN connects business partners to a corporate network by creating a secure VPN connection from a business partner router to a VPN router or company hub. The tunnel protocol used depends on whether it is connected to a router or a remote connection. The option for routers connected to extranet VPNs is IPsec or Generic Routing Encapsulation (GRE). Extranet Dial-Up uses L2TP or L2F. An intranet VPN connects the corporate office to a secure connection using the same IPSec or GRE process as the tunneling protocol. It is important to note that VPNs are very profitable and efficient when existing internet is used to transport company traffic. Therefore, many organizations choose IPsec as the security protocol they choose to ensure that the information is safe when transferred between a router or laptop and router. IPSec consists of 3DES encryption, IKE authentication, and MD5 authentication routes that provide authentication, authorization and privacy.

Internet Protocol Security (IPSec)

IPsec operations are worth mentioning because of the security protocol that is commonly used today in virtual private networks. IPSec is determined by RFC 2401 and developed as an open standard for safe IP transportation via public Internet. The package structure consists of an IP header / IPSec header / security encapsulation for user data. IPSec provides encryption services with 3DES and MD5 authentication. In addition, there is Internet Key Exchange (IKE) and ISAKMP, which automates secret key distribution between IPSec peers (hubs and routers). These protocols are needed for negotiating one-sided or bilateral security associations. The IPSec Protection Association consists of an encryption algorithm (3DES), a hash algorithm (MD5) and an authentication method (MD5). VPN conversion uses 3 security associations (SA) for each connection (transmission, reception, and IKE). In a corporate network with many IPSec peer devices, scalability authentication authorities use IKE / Pre-Share IKE / Pre-Share authentication processes.

Laptop - VPN Concentrator IPSec Peer Connection

 

1. IKE Security Association Negotiation

 

2. IPSec Tunnel Setup

 

3. XAUTH Request / Response - (RADIUS Server Authentication)

 

4. Mode Config Response and Acknowledge (DHCP and DNS)

 

5. IPSec Security Association

 

Access VPN Design

VPN access will take advantage of the availability and cheap internet access to the company's main offices with WiFi, DSL and cable networks from local ISPs. The main problem is that company data must be protected when moving from telecommunication laptops to corporate headquarters through the Internet. The client-initiated model is used to create IPSec tunnels from any client laptop that is terminated by a VPN hub. Each laptop is configured with VPN client software that works with Windows. Telecommunications must first dial a local access number and authenticate to the ISP. The RADIUS server authenticates each dial-up connection as an official telecommunications operator. When finished, the user remotely authenticates and authorizes the Windows, Solaris, or mainframe servers before running the application. There are two VPN hubs that are configured to fail with the Virtual Routing Reservation Protocol (VRRP) if one is not available.

Each hub is connected between an external router and a firewall. New features with VPN hubs prevent DOS attacks from external hackers, which can affect network availability. The firewall is configured to assign each telecommunications source and destination IP address from a predetermined range. In addition, all applications and protocols are activated through the firewall as needed.

Extranet VPN Design

Extranet VPN is designed to provide secure connections from the offices of each business partner to the company's main office. Security is the main focus because all traffic is transported by every business partner through the Internet. There is a connection from each business partner who completes the VPN router in the company office. Every business partner and VPN router their partner at the head office uses a router with a VPN module. This module provides high-speed IPSec hardware encryption packages before being sent via the Internet. Peek VPN routers at the company core office are dual homed to Multilayer