Virtual Private Networks (VPNs)
integrate remote employees, corporate offices, and business partners through
the Internet and provide encrypted tunnels between sites. VPN access is used to
connect remote users to a corporate network. A remote work station or laptop
using an access chain, such as cable, DSL, or WLAN, to connect to a local
Internet service provider (ISP). Using a client-initiated model, remote
workstation software creates encrypted tunnels from laptops to ISPs using
IPSec, Layer 2 Tunneling Protocol (L2TP), or PPTP. Users must authenticate as
official VPN users with ISPs. After completion, the ISP arranges encrypted
tunnels to the company's router or VPN hub. Models initiated by ISPs are less
secure than models initiated by clients because encrypted tunnels are made by
ISPs to VPN routers or VPN hubs. It also creates a secure VPN tunnel using L2TP
or L2F.
Extranet VPN connects business
partners to a corporate network by creating a secure VPN connection from a
business partner router to a VPN router or company hub. The tunnel protocol
used depends on whether it is connected to a router or a remote connection. The
option for routers connected to extranet VPNs is IPsec or Generic Routing
Encapsulation (GRE). Extranet Dial-Up uses L2TP or L2F. An intranet VPN
connects the corporate office to a secure connection using the same IPSec or
GRE process as the tunneling protocol. It is important to note that VPNs are
very profitable and efficient when existing internet is used to transport
company traffic. Therefore, many organizations choose IPsec as the security
protocol they choose to ensure that the information is safe when transferred
between a router or laptop and router. IPSec consists of 3DES encryption, IKE
authentication, and MD5 authentication routes that provide authentication,
authorization and privacy.
Internet Protocol Security
(IPSec)
IPsec operations are worth
mentioning because of the security protocol that is commonly used today in
virtual private networks. IPSec is determined by RFC 2401 and developed as an
open standard for safe IP transportation via public Internet. The package
structure consists of an IP header / IPSec header / security encapsulation for
user data. IPSec provides encryption services with 3DES and MD5 authentication.
In addition, there is Internet Key Exchange (IKE) and ISAKMP, which automates
secret key distribution between IPSec peers (hubs and routers). These protocols
are needed for negotiating one-sided or bilateral security associations. The
IPSec Protection Association consists of an encryption algorithm (3DES), a hash
algorithm (MD5) and an authentication method (MD5). VPN conversion uses 3
security associations (SA) for each connection (transmission, reception, and
IKE). In a corporate network with many IPSec peer devices, scalability
authentication authorities use IKE / Pre-Share IKE / Pre-Share authentication
processes.
Laptop - VPN Concentrator IPSec
Peer Connection
1. IKE Security Association
Negotiation
2. IPSec Tunnel Setup
3. XAUTH Request / Response -
(RADIUS Server Authentication)
4. Mode Config Response and Acknowledge
(DHCP and DNS)
5. IPSec Security Association
Access VPN Design
VPN access will take advantage of
the availability and cheap internet access to the company's main offices with
WiFi, DSL and cable networks from local ISPs. The main problem is that company
data must be protected when moving from telecommunication laptops to corporate
headquarters through the Internet. The client-initiated model is used to create
IPSec tunnels from any client laptop that is terminated by a VPN hub. Each
laptop is configured with VPN client software that works with Windows.
Telecommunications must first dial a local access number and authenticate to
the ISP. The RADIUS server authenticates each dial-up connection as an official
telecommunications operator. When finished, the user remotely authenticates and
authorizes the Windows, Solaris, or mainframe servers before running the
application. There are two VPN hubs that are configured to fail with the
Virtual Routing Reservation Protocol (VRRP) if one is not available.
Each hub is connected between an
external router and a firewall. New features with VPN hubs prevent DOS attacks
from external hackers, which can affect network availability. The firewall is
configured to assign each telecommunications source and destination IP address
from a predetermined range. In addition, all applications and protocols are
activated through the firewall as needed.
Extranet VPN Design
Extranet VPN is designed to provide secure
connections from the offices of each business partner to the company's main
office. Security is the main focus because all traffic is transported by every
business partner through the Internet. There is a connection from each business
partner who completes the VPN router in the company office. Every business
partner and VPN router their partner at the head office uses a router with a
VPN module. This module provides high-speed IPSec hardware encryption packages
before being sent via the Internet. Peek VPN routers at the company core office
are dual homed to Multilayer